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Abstract. Size-Change Termination (SCT) is a method of proving program 
termination based on the impossibility of infinite descent. To this end we use 
a program abstraction in which transitions are described by monotonicity con- 
straints over (abstract) variables. When only constraints of the form x > y' and 
x > y' are allowed, we have size-change graphs. In the last decade, both theory 
and practice have evolved significantly in this restricted framework. The crucial 
underlying assumption of most of the past work is that the domain of the variables 
is well-founded. In a recent paper I showed how to extend and adapt some theory 
from the domain of size-change graphs to general monotonicity constraints, thus 
complementing previous work, but remaining in the realm of well-founded do- 
mains. However, monotonicity constraints are, interestingly, capable of proving 
termination also in the integer domain, which is not well-founded. 

The purpose of this paper is to explore the application of monotonicity con- 
straints in this domain. We lay the necessary theoretical foundation, and present 
precise decision procedures for termination; finally, we provide a procedure to con- 
struct explicit global ranking functions from monotonicity constraints in singly- 
exponential time, and of optimal worst-case size and dimension (ordinal). 



1. Introduction 

This paper concerns automated termination analysis — deciding whether a program 
terminates, and possibly generating a global ranking function. The termination prob- 
lem is well-known undecidable for Turing-complete programming languages; one of 
the ways in which this obstacle may be circumvented is to study, for this purpose, 
a class of abstract programs that are expressive enough to allow many concrete pro- 
grams to be represented, so that termination of the abstraction implies termination 
of the concrete program. An important point is that the abstract programs do not 
constitute a Turing-complete programming language and can have a decidable ter- 
mination problem. The abstraction studied in this paper is monotonicity constraint 
transition systems [12^16]. The term will be usually abbreviated to MCS. 
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The MCS abstraction is an extension of the SCT (Size-Change Termination |23j) 
abstraction, which has been studied quite extensively during the last decadal, repre- 
sent a program as a transition system with states. Abstraction of a program consists 
of the formation of a control-flow graph for the program, identification of a set of 
state variables, and formation of a finite set of abstract transitions (i.e., abstract 
descriptions of program steps, where the notion of step can be tuned to different 
needs). 

In the SCT abstraction, an abstract transition is specified by a set of inequali- 
ties, that relate variable values in the target state to those of the source state (these 
inequalities are often represented by a size-change graph). Extending this notion, 
a monotonicity constraint (MC) allows for any conjunction of order relations, in- 
cluding equalities as well as strict and non-strict inequalities, and involving any pair 
of variables from the source state and target state. The Monotonicity Constraint 
Transition Systems treated in this paper also allow constraints to be associated with 
a point in the control-flow graph (these are called state invariants). 

The size-change technique was conceived to deal with well-founded domains, 
where infinite descent is impossible. Termination is deduced by proving that any 
(hypothetical) infinite run would decrease some value monotonically and endlessly, 
so that well-foundedness would be contradicted. 

Monotonicity constraints generalize the SCT abstraction and are clearly more 
expressive, a fact that was highlighted by Codish, Lagoon and Stuckey p2]. They 
made the intriguing observation that pre-existing termination analyzers based on 
monotonicity constraints [241 [13~1 [25] apply a termination test which is sound and 
complete for SCT, but incomplete for general monotonicity constraints, even if one 
does not change the underlying model — namely that "data" are from an unspecified 
well-founded domain. In addition, they pointed out that monotonicity constraints 
can imply termination under a different assumption — that the data are integers. 
Integers, not being well-founded, cannot be handled by the SCT abstraction. 

In practice, the integers are already the predominant domain for monotonicity 
constraints and size-change termination. Often — in particular in functional and logic 
programming — they represent the size of a list or tree (whence the term size-change 
termination), and are necessarily non- negative, which allows the well-founded model 
to be used. In contrast, in certain application domains, and typically in imperative 
programming, the crucial variables are of integer type and might be negative (by 
design or by mistake). But MCs can still imply termination, as witnessed by the 
loop while (x<y) x=x+l. The value of x does not descend but grow; however the 
constraint x < y (along with the fact that y does not change) tells us that this 
cannot go on forever. 

In a previous paper [6] , the theory of monotonicity constraint transition systems 
in the well-founded model was investigated. Main results include: 

• The syntax and semantics of the abstraction are presented. 

• A combinatorial termination criterion is formulated in terms of the representa- 
tion of monotonicity constraints as graphs (briefly: the existence of an infinite 

References are too numerous to cite here, but see the author's summary web page 
: //www2 .mta. ac . il/~amirben/sct .html ). 
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descending path, or walk, in every infinite multipath). This is an adaptation of 
the SCT criterion from |23| . 

• It is proved that satisfaction of this criterion is equivalent to the termination of 
transition system that satisfies the constraints — in logical terms, the criterion is 
sound and complete. 

• Termination of MCSs is shown decidable, and more precisely, PSPACE-complete. 
Two decision procedures are given: a direct closure-based algorithm, and a reduc- 
tion of the problem to SCT, which provides an alternative algorithm, along with 
insight into the relationship between the two constraint domains. 

• An algorithm is given to construct explicit global ranking functions given any ter- 
minating MCS (recall that a global ranking function is a function from program 
states into a well-founded domain, that decreases on every transition). The algo- 
rithm has optimal time complexity (2°( nlo s n )) and produces a ranking function 
whose values are tuples, under the lexicographic ordering. It is also optimal in the 
dimension (length of the tuples, implying the ordinal of the codomain), at least 
in a worst-case sense. 

The contribution of this paper is to obtain some similar results in the integer model. 
This development is more complicated than in the well-founded model, but is cer- 
tainly worthwhile due to the practical importance of this domain (many published 
termination analyses target the integers specifically; a few, closest to this work, are 
referenced in the related- work section). 

An intuitive reduction of the integer case back to the well-founded case is to 
create a new variable for every difference which can be deduced from the 

constraints to be non-negative, and also deduce relations among these new variables 
to obtain a new abstract program over the natural numbers. But this solution may 
square the number of variables, which is bad because this number is in the exponent 
of the complexity, and in general is not complete (see Example 12.91) in the next 
section). We tackle the problem directly instead, but as an interesting corollary 
we shall find that the above reduction is, in fact, a correct solution given a certain 
preprocessing of the program. 

This paper is organized as follows. In the next section we formally introduce 
monotonicity constraint transition systems and their semantics. After this quick 
technical introduction a sample of examples are given, witnessing the range of ter- 
mination arguments captured by this framework. Section [3] recalls the notion of 
a stable MCS (introduced in [6]). Stabilization propagates invariants around the 
abstract program and makes it more amenable to local analysis. Section |4] gives a 
combinatorial termination criterion (in terms of graphs), similar to what has been 
known for SCT and for MCS in previous work. The criterion is proved sound and 
complete and decision algorithms are discussed. In Section [5l we recall another 
notion from [6], that of elaboration. Elaborating a systems makes some informa- 
tion which implicit in it, explicit, and further simplifies its algorithmic processing. 
It is used in Section [6l presenting the algorithm to construct ranking functions. 
Section [7] complements the previous sections by briefly explaining the role of reach- 
ability (sometimes a program may seem to contain an infinite loop, but it is not 
reachable). Section [8] discusses related work and Section [9] concludes. 
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This paper is intended to be self-contained, so that it can be read indepen- 
dently of its predecessor [6]. However, a reader may be interested to know what the 
challenges were in handling the integer domain in constrast with the well-founded 
domain, where the definitions or techniques are the same, when they differ and how. 
The paper is interspersed with special comments marked with the symbol 7L. These 
comments are meant to answer the above questions. They can be skipped without 
compromising the integrity of the text. 

The central results of this work have been presented in the 20th International 
Conference on Computer Aided Verification conference (2009) and are stated, very 
briefly, in the proceedings [5] . 

2. Basic Definitions and Motivating Examples 

Z: The basic definitions fSect. |2~TH2.2I) are essentially as in [6], except for the notation ir- 
tcrmination, introduced for distinction between the integer interpretation of an MCS and 
the well-founded interpretation. Section r2.3l includes examples to show the expressiveness 
of the integer MCS model and contrast it with the usage of SCT to analyze the same 
programs. 

2.1. Monotonicity constraint transition systems. A monotonicity constraint 
transition system is an abstract program. An abstract program is, essentially, a set 
of abstract transitions. An abstract transition is a relation on (abstract) program 
states. When describing program transitions, it is customary to mark the variables in 
the resulting state with primes (e.g., x'). For simplicity, we will name the variables 
xi,...,x n (regardless of what program variables they represent). This notation 
also suggests that the same number of variables (n) is used to represent all states. 
Of course, in actual programs this is not necessarily the case (for example due to 
different scopes) and it will be more efficient to maintain only the necessary variables 
at each program point. 

Definition 2.1 (MCS). A monotonicity constraint transition system, or MCS, is 
an abstract program representation that consists of a control- flow graph (CFG), 
monotonicity constraints and state invariants, all defined below. 

• A control-flow graph is a directed graph (allowing parallel arcs) over the set F of 
flow points. 

• A monotonicity constraint (MC) is a conjunction of order constraints x X y where 
x,y £ {xi, . . .,x n ,x[, . . .,x' n }, and txi G {>, >, =}. 

• Every CFG arc / — > g is associated with a monotonicity constraint G. We write 
G:f^g. 

• For each / £ F, there is an invariant If, which is a conjunction of order constraints 
among the variables. 

The terms "abstract program" and "MCS" are used interchangeably, when context 
permits. The letter A is usually used to denote such a program; i 7 " 4 will be its flow- 
point set. When notions of connectivity are applied to A (such as, U A is strongly 
connected"), they concern the underlying CFG. 
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2.2. Semantics. 

Definition 2.2 (states). A state of A (or an abstract state) is s = (/, cr), where 
/ G F* 4 - and <r : {1, . . . , n} — >• Z represents an assignment of values to the variables. 

Satisfaction of a predicate e with free variables xi, . . . , x n (for example, x\ > X2) 
by an assignment a is defined in the natural way, and expressed by a \= e. If e is a 
predicate involving the 2n variables x±, . . . , x n , x'i, . . . ,x' n , we write a, a' \= e when 
e is satisfied by setting the unprimed variables according to a and the primed ones 
according to a'. 

Definition 2.3 (transitions). A transition is a pair of states, a source state s and 
a target state s'. For G : f — >• g G A, we write (/, a), (g,<r') \= G if a \= If, a' (= 7 g 
and cr, cr' |= G. We say that transition s 1— >• s' satisfies G. 

Note that we may have unsatisfiable MCs, such as x\ > X2AX2 > x\\ it is useful 
to view all such MCs as synonyms and use the common notation _L for them (as one 
would typically do in an Abstract Interpretation domain). 

Definition 2.4 (transition system). The transition system associated with A is the 
binary relation 

T A = {(a, s') \s,s' \=G for some G £ A}. 

Note that a program representation may also be called a "transition system." I am 
using the unqualified term for a semantic object. The program representation is 
referred to as an MC transition system (or sometimes just MC system). 

Definition 2.5 (run). A run of Ta is a (finite or infinite) sequence of states s = 
so, si, S2 • • • such that for all i, (sj, Si+i) G Ta- 

Note that by the definition of Ta, a run is associated with a sequence of CFG 
arcs labeled by G\, G2, ■ ■ ■ where Sj_i, Sj \= G{. This sequence constitutes a (possibly 
non-simple) path in the CFG. 

Definition 2.6 (termination). Transition system Ta is uniformly terminating if it 
has no infinite run. MCS A is said to be n -terminating if Ta is uniformly terminat- 
ing. 

The prefix ir (a symbol for the order type of the integers [26J) is included since 
the same MCS can be interpreted in the well-founded model of [6j and may possibly 
be non-terminating there (though this would require the value domain to be of an 
order type greater than oS). The term uniform refers to termination that is inde- 
pendent of the initial state. In Section [7] we discuss the consequences of specifying 
an initial flow-point. 

Remark. It may be tempting to abstract away from the integers and, just as the 
well-founded case was treated generally (so that any well-founded domain could be 
used), give a general definition of the property that the domain has to satisfy for our 
termination arguments to apply. The property is that for any two elements there 
are only finitely many elements strictly between them. However, this abstraction 
buys us no generality, as every total order with this property is isomorphic to a 
subset of the integers. On the other hand, the fact that we assume the underlying 
set to be, specifically, the integers, has the satisfactory outcome that completeness 
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of our deduction means that specific knowledge about the integers could not have 
been used in any better way. 

2.3. Examples. Here are a few small examples that illustrate the transformation 
of programs into MCS. The reader is invited to verify that the abstract programs 
created are indeed terminating. To contrast the expressiveness of the MC abstrac- 
tion with that of the better-known SCT, comments are included regarding how the 
examples might be treated by SCT-based tools. Recall that in the SCT framework, 
only well-founded domains are handled. 

Example 2.7. Consider the following program, in a self-explanatory functional 
programming language with integer data. 
f(m,n) = if m <= then n 

else if n <= then f(m-l, n-1) 
else f(m, n-1) 

In this example the recursive calls depend on some variable being positive, and 
therefore the proof can somehow be embedded in the well-founded framework. This 
requires placing the control-flow points at the call sites, where we can rely on the 
guards; it is also necessary to deal with the fact that n, while being pertinent to 
the termination proof, is only known to be positive (and thus can be admitted into 
the SCT abstraction) in the second call. When using MCs, we need not worry 
about all of this. We can place a single flow-point at the function entry (as done in 
the simple-minded abstraction of |23j). When analysing the body of the function, 
we create an abstract transition for each recursive branch, taking into account the 
branch condition. The abstract variables will be m, n and (the analyser should 
recognize that these three quantities are involved in the comparisons) . The resulting 
MCS thus consists of two abstract transitions: 

Gf. m>0An>0An>n / Am = m'A0 = / 

G 2 : m>0An<0An>n / Am>m / A0 = / 



Example 2.8. This simple example involves descent in a difference. 
s(m,n) = if m > n then 1 + s(m-l, n) 
else 

Here, it is possible to use the SCT framework by placing the control-flow point at 
the call site, where we know that the difference m — n is positive, and using the 
difference as the abstract variable. With an MCS, we can use a straight-forward 
translation: 

G\ : m>nAn = n / Am>m / 
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As noted, both of the above examples could be proven terminating by SCT using an 
abstraction that relies on invariants and judicious placement of the flow-points; such 
techniques have been implemented, for example, in the theorem prover ACL2 |27] . 
The next programs challenge to the simple invariant-based technique, and therefore 
illustrate more significantly the advantage of monotonicity constraints. 

Example 2.9. Consider the following program: 
g(m,n) = if m <= then n 

else g(n, m-1) 

Both parameters are pertinent to termination, but only m is known to be positive at 
the call site. But as m' is unrelated to m, this does not suffice to prove termination. 
Neither is the difference n — m useful as an abstract variable, since there is no 
information on its sign and it does not change monotonically. Nonetheless, it is not 
hard to prove termination with the straight-forward MCS abstraction: 

G\ : m>0An = m / Am>n / 

Example 2.10. In this example, unsatisfiability of certain paths is crucial to the 
termination proof, 
while (0<x<n) 
if b then 
x := x+1 
else 
x := x-1 

A way to handle this program with SCT might be the calling-context method imple- 
mented in ACL2; the theorem prover is used to discover the fact that an increment 
cannot be followed by a decrement (or vice versa). It produces an abstract program 
into which this information is already coded. It also produces the abstract variable 
n — x. In contrast, with monotonicity constraints, a naive translation of the program 
is sufficient. Since only the integer domain is treated in this work, we represent the 
Boolean variable b as an integer with the test interpreted as b>0. This yields: 

Gi : 0<xAx<nAb>0Ax<x / An = n'Ab = b'A0 = / 

G 2 : 0<xAx<nAb<0Ax>x'An = n / Ab = b'A0 = / 

Example 2.11. Consider the following program. 
g(m,n) = if m <= then n 

else g(m+n, n-1) 

The apparent difficulty here is that the sign of n is not known at the point where it is 
added to m. Hence, one cannot adequately represent the effect of such an update by 
a monotonicity constraint. A similar problem arises with other operations (notably 
subtraction). However, this nut is easily cracked, since one can represent the effect 
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Figure 1: MCs of Example 2.11 as graphs. The left-hand side is the source. Broken 
arcs represent non-strict descent. 



of addition as a disjunction of three monotonicity constraints. Thus, for the above 
program, we have the following (terminating) abstraction: 



G 2 
G 3 



m>0An>0Am<m / An>n / A0 = / 
m>0An = 0Am = m / An>n / A0 = / 
m>0An<0Am>m / An>n'A0 = / 



Note that when n is initially positive, the first parameter grows at first, until n 
reaches zero and then the first parameter begins to shrink. Programs with such 
"phase shift" have attracted the attention of termination researchers, and appear in 
several publications, e.g., [TT] . 



2.4. A comment regarding state invariants. None of the above examples used 
state invariants (associated with a flow-point rather than a transition), and in fact 
it is easy to see that one can always do without them, as it is possible to include the 
constraints If in every MC that transitions from /. However, it may be convenient 
to make the association of certain assertions with a flow point, rather than a specific 
transition, explicit, and our algorithms make significant use of such invariants. 

Z: The next two sections deal, respectively, with the representation and transformation of 
MCSs; the ideas are not essentially different from those used in [6] but there are some 
new details which are important for the sequel. 



2.5. Weighted graph representation. An MC can be represented by a labeled 
digraph (directed graph). This representation enables a style of reasoning, using 
graph properties like paths, which has been very useful in most, if not all, previous 
work on SCT and monotonicity constraints. An arc x A y (r is the label) represents 
a relation x > y or x > y. One only needs two labels, > and >. It is convenient to 
use integers for the labels, and apply techniques from the world of weighted graphs. 
Hence, we employ the term weighted graph representation. 
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Definition 2.12. The weighted graph representation of a monotonicity constraint 
is a weighted digraph with node set {xi, . . . ,x n , x\, . . . , x' n } and for each constraint 

x > y (respectively x > y), an arc x — ^> y (x — > y'). The arcs are referred to, 
verbally, as strict (label —1) or non-strict (label 0). 

The notation x — ¥ y may be used to represent an arc from x to y (of unspecified 
label). In diagrams, to avoid clutter, we distinguish the types of arcs by using 
a dashed arrow for the weak inequalities (see Figure [1]). Note that an equality 
constraint x = y is represented by a pair of non-strict arcs. In certain algorithms, 
it is convenient to assume that the such arcs are distinguished from "ordinary" 
non-strict arcs. We refer to them as no- change arcs. 

Definition 2.13 (h). Let P(s, s') be any predicate over states s, s' , possibly written 
using variable names, e.g., x\ > X2 A X2 < x' 2 . We write G h P if Vs, s' : s, s' \= G 
P(s,s>). 

Definition 2.14. A monotonicity constraint G, in graph representation, is closed 
under logical consequence (or just closed) if, whenever G h x > y, or G h x > y, 
for x, y € {xi, . . . , x m x' x , . . . , x' n }, the stronger of the implied relations is explicitly 
included in the graph. 

Note that for G : f —> g, the condition G h P takes the invariants If and I g 
into account (consider Definitions 12.31 and 12. 13j) . Thus, a closed MC subsumes the 
invariants in its source and target states. 

Definition 2.15. An MC H is at least as strong as G if whenever G h P, also 
H h P. The (consequence) closure of a monotonicity constraint G, denoted G, is 
the weakest MC that is at least as strong as G and is consequence-closed. 

The closure of a graph be computed efficiently (0(n 3 ) time) by a DFS-based 
algorithm. First the graph is divided in strongly connected components. Within 
every component, only non-strict arcs should appear; otherwise the graph is unsat- 
isfiable and should be immediately replaced by the fixed object _L. Otherwise, the 
components represent groups of variables constrained to be equal, and the acyclic 
graph of components can be processed to determine the constraints relating each 
pair. 

Henceforth, we identify a MC with its consequence-closed graph representation, 
and assume that this is how our algorithms will maintain them. In graph represen- 
tation, the restriction of the SCT framework is that only arcs of the form x — )■ y' are 
admitted. Graphs of this form are called size-change graphs in the SCT literature 
and so will they be called in this paper. 

2.6. Transforming MC systems. A key tool in processing MC systems is the 
idea of transforming them for the purposes of analysis. We employ two kinds of 
transformations: the first kindcreates a new system that is "equivalent" in the sense 
that they have the same runs, up to renaming of flow-points and possibly variables — 
the precise notion is bisimulation, defined below. The second kind of transformation 
creates a system that represents part of the runs of the given one — see the definition 
of restriction below. These definitions are given here for later reference. The first 
(bisimulation) is cited verbatim from [6]. 
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Definition 2.16. Let A, B be transition systems, with flow-point sets F^, F® 
respectively, and both having states described by n variables. We say that A sim- 
ulates B if there is a relation <fi C F B x ("correspondence of flow-points") and, 
for all (/, g) G (f), a bijection ifi g j : {1, . . . ,n} — > {1, . . . , n} ("variable renaming") 
such that for every (finite or infinite) state-transition sequence (/i,0"i) i— > (/2,02) ^ 
(/3> a s) of B there is a corresponding sequence (<?i, cr^) i— )• (52, "2) ^ G?3' "3) ^ 

. . . of „4 with (fi,gi) G and 0^ = Oi o (V^./i)- We say that A bisimulates B if, in 
addition, for every (finite or infinite) state-transition sequence (gi,a[) \-t (02,02) 
(53) 03) '->■••■ of .4 there is a corresponding sequence (/1, oi) i-> (/2, 02) h-> (/ 3 , 03) 1— > 
... of B, also with G and • = cxj o (^,/J. 

Thus, „4 bisimulates £> if they simulate each other via the same pair of mappings. 

Definition 2.17. We say that an abstract program A (bi-)simulates an abstract 
program B if Ta (bi-)simulates T&, via mappings 4> and ip, as above. 

We say that A simulates B deterministically if for every f £ F B and assignment 
satisfying If there is a unique g G F^ with (/, g) G 4> such that, letting 0' = 
o (ip g j), assignment 0' satisfies I g . 

If A bisimulates B, and A simulates B deterministically, we say (for brevity) 
that A bisimulates B deterministically. 

Determinism means that the invariants of different A flow-points that simulate 
a given B flow-point have to be mutually exclusive. 

Definition 2.18. The notation A ~</>,^ B means that A simulates B determinis- 
tically via flow-point correspondence 4> and the variable renaming function 4>. We 
omit (f> when it is the identity, and omit both if it is not important to specify them. 

Definition 2.19. Let A, B be transition systems, with same flow-point sets F- 4 - = 
F™, and both having states described by n variables. We say that A is a restric- 
tion of B, and write A <£ B, if every (finite or infinite) state-transition sequence 
(/i) o~\) h-» (/2, 02) i—s- (/3, 03) i-)- . . . of B is also a transition sequence of A. 

A restriction results, obviously, from tightening the constraints at certain flow- 
points or transitions. 

Definition 2.20. We write A ts^, B, if there exists C such that A (s C and C ~^ B. 

3. Stable Systems 

The notion of stable MC systems is from [6]. This section recalls the definition and 
states some consequences of stability that are used in forthcoming proofs. 

Z: There is no novelty here. 

Definition 3.1. An MCS A is stable if (1) all MCs in A are satisfiable; (2) For all 
G : f — > g in A, whenever G h Xi t> Xj (some relation between source variables), 
also If h Xi > Xj . (4) Similarly, if G h x\ > x'a , also I g h Xi \> Xj . 
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Note that while consequence-closure requires that all information from If and 
I g be present in G, stability requires that G cannot add information to If and I g . 

Stabilizing a given system may require flow-points to be duplicated, since two 
MCs coming out of / may disagree on the conditions that must be placed in If. 

It is always possible to tranform an MC system B into a stable A such that 
A ~ £>; this transformation is called stabilization, and an algorithm is described 
in [6|. Stabilization does not rename variables, but may require flow-points to be 
duplicated, since two MCs coming out of / may disagree on the conditions that must 
be placed in If. In the worst case, it can multiply the size of the system by a factor 
exponential in the number of variables n (specifically by the Ordered Bell Number 
B n which is between n\ and 2 n_1 n! |30|. Seq. A670]). A brute-force solution, which 
always reaches the worst case, was also described. This solution turned out useful 
in constructing global ranking functions and will also be used for this purpose in 
this paper. 

3.1. Properties of stable systems. 

Lemma 3.2. Let M = G1G2 ■ ■ ■ Ge be a finite multipath of a stable MCS. Suppose 
that there is a path in M from x[0,s] to x[£, t\. Then there is a thread with such 
endpoints. 

The lemma works for down-paths (and down-threads) as well as for up-paths 
(and up-threads), which can be seen (for more convenient argument) as paths in the 
transposed graph. 

Proof. We consider the shortest path among the given endpoints. It has to be a 
thread, for otherwise it has two consecutive arcs among the nodes of a single graph 
Gi. Stability and consequence-closure of the graphs imply that these two arcs can 
always be replaced by a single one, contradicting the choice of a shortest path. □ 

Lemma 3.3. Let M = G1G2 ■ ■ ■ Gg be a finite multipath of a stable MCS. Suppose 
that there is a path in M from x[t, i] to x[t, j] for some t, i,j with i ^ j. Then there 
is an arc with such endpoints. 

The argument is very similar to the previous one and we omit a detailed proof. 

Lemma 3.4. In a stable MCS, every finite multipath is satisfiable. 

The proof, again, is rather similar to the previous ones and is given in full in [6]. 

4. Termination 

A central contribution of [23j was the definition of a "path based" termination con- 
dition for systems of size-change graphs, dubbed the SCT criterion. The condition 
hinges on the presence of certain infinite paths in infinite sequences of size-change 
graphs (such sequences represent hypothetic execution histories) . This criterion was 
generalized in [6] to monotonicity constraints, where the paths have become walks 
(possibly cyclic). It has also been shown that assuming stability, the condition 
reduces to the SCT criterion, which is easier to reason about as well as to test for. 
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Figure 2: A multipath. 
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In this section we prove that for 7r-termination too, termination is captured by a 
path-based criterion. We consider in particular the case of a stable system, but also 
the general case. This yields a proof that 7r-termination is decidable in PSPACE. 



Z: The path-based criterion, and consequently the algorithm, enhance the criteria and algo- 
rithm of [5] in a way which seems, at least after the fact, very natural. The completeness 
proof was the challenging part as it differs significantly from [5] ; it is inspired by [T2] . 
This section also includes a discussion of the algorithm proposed in [T2] . 



4.1. Some definitions. 

G G 

Definition 4.1 (multipath). Let A be an n- variable MCS, and let /o — \ f± -4 f2 ■ ■ ■ 
be an MC-labeled path in the CFG (either finite or infinite). The multipath M that 
corresponds to this path is a (finite or infinite) graph with nodes x[i,i], where t 
ranges from up to the length of the path (which we also refer to as the length 
of M), and 1 < i < n. Its arcs are obtained by merging the following sets: for all 
t > 1, M includes the arcs of Gt, with source variable x\ renamed to x[t — and 
target variable x'j renamed to x[t,j]. 

The multipath may be written concisely as G1G2 ■ ■ ■ ; if Mi, M2 are finite mul- 
tipaths, Mi corresponding to a CFG path that ends where M2 begins, we denote 
by M1M2 the result of concatenating them in the obvious way. The notation {G) x 
represent a multipath made of x copies of G. 

Figure [2] depicts multipath G1G3G1, based on the MCs from Figure [TJ 
Clearly, a multipath can be interpreted as a conjunction of constraints on a set 
of variables associated with its nodes. We consider assignments a to these variables, 
where the value assigned to x[t,i] are denoted a[t, i]. A multipath can be seen as 
an execution trace of the abstract program, whereas a satisfying assignment consti- 
tutes a (concrete) run of T4. Conversely: every run of Ta constitutes a satisfying 
assignment to the corresponding multipath. 

Definition 4.2. A path in the graph representation of an MC or a multipath is 
strict if it includes a strict arc. 

Observation 4.3. A finite multipath is satisfiable if and only if it does not contain 
a strict cycle. 

We next define down-paths and up-paths. The definition of a down-path is just 
the standard definition of path (which has already been used in this paper) but it 
is renamed in order to accommodate the notion of an up-path. 
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Definition 4.4. A down-path in a graph is a sequence (vo, ei, v±, ei, V2, ■ ■ ■ ) where 
for all i, ei is an arc from Vi-i to (in the absence of parallel arcs, it suffices to list 
the nodes). An up-path is a sequence (vo, e\, v\, e2, V2, ■ ■ ■ ) where for all i, ei is an 
arc from Vi to Vi-\. 

The term path may be used generically to mean either a down-path or an up- 
path (such usage should be clarified by context). 

Semantically, in an MC or a multipath, a down-path represents a descending 
chain of values, whereas an up-path represents an ascending chain. Note also that 
an up-path is a down-path in the transposed graph. 

Definition 4.5. Let M = G1G2 ... be a multipath. A down-thread in M is a 
down-path that only includes arcs in a forward direction (x[t,«] — s- x[t + l,j]). 

An up-thread in M is an up-path that only includes arcs in a backward direction 
(x[t,i]^x[t + l,j]). 

A thread is either. 

4.2. Combinatorial criteria for 7r-termination. We formulate necessary and 
sufficient conditions for the termination of an MCS in terms of its multipaths. The 
first criterion is called Condition S as it assumes a stable MCS. The second, Con- 
dition G, works with any MCS. 

4.2.1. The Stable Case. 

Definition 4.6. A stable MCS A satisfies Condition S if in any infinite multipath 
M (with variables x[t,z]) there are an infinite down-thread {x[k,hk])k=ko ko+i ... an d 
an up-thread (x[k, lk])k=k ,k +i,-> such that all the constraints x[k, Ik] < x[k, hk] are 
present in M. In addition, at least one of the threads has infinitely many strict arcs. 

We may later refer to the up-thread (x[k, Ik}) as the low thread, while the down- 
thread (x[k,hk\) is the high thread. This naming is meant to stress the relation 
x [k, Ik] < x[k, hk]'- the values assumed by the variables on the low thread are always 
lower than those assumed on the high thread. The fact that the values in the high 
thread descend, while those in the low thread ascend, suggests that the process can- 
not go on forever, which is what we want. A down-thread/up-thread pair satisfying 
this condition will be called an approaching pair. If the condition of infinitely many 
strict arcs is not guaranteed, we will use the term a weakly approaching pair. 

Theorem 4.7. Condition S is a sufficient condition for n -termination. 

Proof. Suppose that Condition S is satisfied and that A does not terminate. Thus, 
some infinite multipath M is satisfiable. The threads postulated in Condition S 
imply that the sequence of differences a[k,hk] — cr[k,lk] is infinitely descending, 
while consisting of non-negative integers. This is impossible, so we conclude that A 
is 7r-terminating. □ 
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Condition S is also a necessary condition for termination of stable systems (i.e., 
the criterion is sound and complete), but we will prove this later. 

Readers familiar with SCT will surely notice that if, for each flow-point /, 
for every pair of variables such that If h Xi < Xj, we create a variable xuj\ to 
represent Xj — Xi (guaranteed to be non-negative) and we connect such variables 
with the obvious size-change arcs (if X{ < x\ and Xj > x' h then ac(ij) > x'q h y etc), 
Condition S becomes equivalent to ordinary (well-founded) size-change termination 
in the new variables. The SCT condition requires every infinite multipath to include 
an infinitely-descending thread (a down-thread which is infinitely often strict). Our 
approaching pairs correspond precisely to threads in the difference variables. 

Thus, given a stable system, 7r-termination reduces to SCT, and this imme- 
diately provides us with a decision algorithm. Nevertheless, we dedicate the next 
couple of subsections to new decision algorithms, based directly on Condition S. The 
motivation for doing so is threefold. First, it is theoretically interesting to see how 
such a direct algorithm would work. Secondly, the SCT algorithms are exponential 
in the number of variables. Creating difference variables in advance squares the 
exponent, which is bad. Finally, we shall employ one version of the direct algorithm 
in proving the completeness of our termination criterion. 

4.2.2. The General Case. Dropping the stability does not complicate the statement 
of the termination condition very much. Instead of threads, we have to consider 
paths of any form (even such that repeat arcs). 

Definition 4.8. MCS A satisfies Condition G if in any infinite multipath M (with 
variables denoted by x[i,j]) there is an up-path (x[Lj, lj])j=o,i,... and a down-path 
(x[Hj, hj])j=Q i ... such that at least one of the paths has infinitely many strict arcs. 
Moreover, for infinitely many values of k, there is a path from x[Hk, hk] < x[Lk, Ik]- 

Theorem 4.9. Condition G is a sound condition for It-termination. 

Proof. Suppose that Condition G is satisfied and that some infinite multipath M 
is satisfiable. Then the paths described in Condition G exist and imply that the 
sequence of differences x[Hj, hj] — x[Lj, lj] is infinitely descending, while consisting 
of non-negative integers (note that if x[Lf.,lk] < x [Hk,hk], then also for all j < k, 
x[Lj,lj] < x[Hj,hj]). This is impossible, hence no infinite multipath is satisfiable, 
or equivalently, the MCS Z-terminates. □ 

Theorem 4.10. Conditions G and S are equivalent for a stable system. 

Proof. Condition S is a special caes of Condition G, so all we have to prove is that if 
Condition G is satisified, so is Condition S. Suppose, then, that Condition G holds, 
and we have the paths (x[Lj, lj])j=o,i,- anc ^ ( x [-^j> ^j])i=o,i,...; as above. It is easy 
to see that since for infinitely many values of k, there is a path from x[Hk,hk] to 
x[Lk, h], it is also true that for any k and j, there is a path from x[Hk, hk] to x[Lj,lj] 
(the path may use parts of the up-path and down-path themselves) . 

To each path, we can apply Lemma 13.21 to obtain a thread whose nodes are 
a subset of the nodes of the path; an up-thread (x[t, lj t ])t>to an d a down-thread 
(x[t,hk t ])t>t - At least one of the threads is infinitely often strict. 
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From the previous observation, we know that there is, for every t, a path from 
x[t,hk t ] to x[t, lj t ]. Applying Lemma |3.3[ we cam show that the relation x[t,hk t ] > 
x[t, lj t ] must be included in the invariant for the corresponding flow-point. □ 

Condition G is also a complete criterion for termination; the proof is based on 
stabilizing the system and the equivalence of Conditions G with Condition S in the 
stable one. The details are omitted as they are tedious and give no new insight. 

4.3. A Closure Algorithm for Stable Systems. We next present an algorithm 
to decide termination of stable Integer MCS by computing a composition-closure 
and applying a certain test to the elements of the closure set. This algorithm 
is based on the Closure Algorithm for the well-founded model [Ml CCS H7J [23l [6] , 
and is theoretically related to the Disjunctive Well-Foundedness principle |T9j. An 
algorithm sans stability is presented later for completeness; but our analysis of the 
algorithms and their correctness makes substantial use of stability (note the previous 
paragraph) . 

The following definitions are essentially from [6]: 

Definition 4.11 (composition). The composition of MC G\ : f — > g with G*2 : 
g — > h, written G±;G2, is a MC with source / and target h, which includes all the 
constraints among s, s' implied by 3s" : s, s" \= G\ A s", s' \= G2. 

Composition is similar to logical closure and can be implemented by a DFS- 
based algorithm in 0(n 3 ) time. 

Definition 4.12 (collapse). For a finite multipath M = G\...Gi, Let M = 
G\ \ ■ ■ ■ ;Ge. This is called the collapse of M (if £ = 1, it is just the consequence- 
closure of G\). 

Applying composition together with logical closure, we can easily compute of 
M for a given M . 

Definition 4.13. Given an MCS A, its closure set cl{A) is 

{M I M is a satisfiable finite A- multipath}. 

The closure set can be computed by a routine least-fixed-point procedure, as in [5]. 

Definition 4.14 (cyclic MC). We say that a MC G is cyclic if its source and target 
flow-points are equal. This is equivalent to stating that GG is a valid multipath. 

Definition 4.15 (circular variant). For a cyclic G, the circular variant G° is a 
weighted graph obtained by adding, for every variable Xi, an edge X{ <-> x\. This 
edge is treated as a pair of no-change arcs, but is distinguished from edges already 
present in G. These additional edges are called shortcut edges. 

Definition 4.16 (types of cycles). Let G be a cyclic MC. A cycle in G° is a path 
commencing and ending at the same node. It is a forward cycle if it traverses 
shortcut edges only in the backward direction (from x\ to x^jj. It is a backward 
cycle if it traverses shortcut edges only in the forward direction. 



this naming may seem strange, but will will later see that such a cycle is "unwound" into a 
forward-going thread in the multipath (G)" . 



16 



A. M. BEN-AMRAM 





x[ 


Xl •< - x\ 


X 

X2 
1 


x 2 


x, 

•'• L > -. - ./•:_, 

i 


V 

^3 


x 3 


V 

< > x'n 


X 


X 4 


x 

^4 ■< - , 


(a) 




(b) 



X\ ■<■■ 



x 2 <■■ 

v 

^3 



£4 



(c) 

Figure 3: (a) An MC G, (b) its circular variant G°; (c) the directions of shortcut 
edges are set to highlight the two cycles required by the LTTS. 



Definition 4.17 (Local ir- Termination Test for Stable Systems). For a cyclic G, we 
say that G passes the Local ir- Termination Test for Stable Systems, or LTTS, if G° 
includes a forward cycle F and a backward cycle B, at least one of which is strict, 
and an arc from a node of F to a node of B. 

This test resembles Sagiv's local test for the well-founded case [21], and likewise 
can be implemented as a DFS-based algorithm in linear time, on which we will not 
elaborate. Figure [3] illustrates the test. 

Algorithm 4.18. (The Closure Algorithm) 

(1) Build cl{A). 

(2) For each cyclic G in cl(A), apply the LTTS. 

Pronounce failure (non-termination) if a graph that fails the test is found. 

(3) If the previous step has completed, the MCS terminates. 

Theorem 4.19 (closure algorithm — soundness). Let A be a stable MCS. If every 
cyclic MC in cl(A) passes the Local tt- Termination Test for Stable Systems, A sat- 
isfies Condition S. 

The proof will use the next lemma. 

Lemma 4.20. Consider an infinite multipath M of a stable system, represented as 
the concatenation of finite segments M\M 2 ■ ■ ■ , and let M' = (M\){M2) .... Then 
M' satisfies Condition S if and only if M does. 

Proof. Suppose first that M' satisfies Condition S. The down-thread in M' can be 
mapped back to M, where it consists of variables x[ki, hi], such that fe, is the length 
of M\ . . . Mi. The arc x[i, hi] — >■ x[i + 1, /ij+i] in M' is actually an arc of Mi+i, and 
reflects (by the definition of composition) a path in Mi + \. By Lemma [3.21 this path 
can be assumed to be a thread. We thus obtain an infinite down-thread that passes 
through the variables x[ki,h{]. Similarly, we obtain an infinite up-thread through 
the variables x[ki, Condition S also implies that the constraint x[ki, hi] > x[ki, lj\ 
is present in M for every i. For k{-\ < k < ki, we have a down-thread from some 
x[k, h] to x[ki, hi], and an up-thread from some x[k, I] to x[ki,U], so we have a path 
from x[k, h] to x[k,l]. By Lemma [3^3| x[k,h] and x[k,l] must be explicitly related 
in M. 
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For the converse implication, we assume that M satisfies Condition S and we 
are to prove it for M'\ this is symmetric, but simpler than the above argument, and 
so is left to the interested reader. □ 

Proof, (of Theorem 14. 19[) We suppose that every cyclic MC in cl(A) passes the 
LTTS. Let M = G\G 2 ■ ■ ■ be any infinite A multipath. 

Consider the set of positive integers, and label each pair (t, t') , where t < t', by 

G = Gt; Gt+i; ■ ■ ■ Gf-i 

which is included in cl(A), since this multipath is satisfiable (Lemma 13. 4|) . By 
Ramsey's theorem (in its infinite version), there is an infinite set of positive integers, 
/, such that all pairs (£,£') with t,t' £ I carry the same label Gi. 

Thus for any t,t' & I with t < t' , G t ; G t+1 ; ■ ■ ■ G t >-\ = G/. By Lemma [OQ1 
it now suffices to show that multipath (Gj) u (infinite sequence of G/'s) satisfies 
Condition S. 

By assumption, Gi passes the LTTS. Let F be the forward cycle. Due to 
consequence-closure, we can shrink each segment of F that consists of ordinary arcs 
(not shortcuts) into a single arc, so that without loss of generatlity we may assume 
that the cycle alternates source (unprimed) with target (primed) variables. We can 
thus choose indices fti , /t2, • • ■ such that the nodes of the cycle are Xh , x' hi , x^ , x' h2 
and so on up to x' h for some s > 0, with h s = ho. We can do the same for the 
backward cycle B, denoting the variables by x\. and x',., for < j < s, where s is 
the length of that cycle. By LTTS, there is also an arc from a node of F to a node 
of B; suppose that they are both source nodes; then, without loss of generality (a 
cycle can be begun at any point), we can assume that G h Xh > xi . In fact, there 
is no loss of generality in assuming that the related nodes are source nodes, either; 
suppose, for example, that we have G h x' h > xi ; then G h Xh > xi is implied. 
Other situations can be handled similarly. 

To show that Condition S is satisfied, we map the cycles onto infinite threads 
in (G/) w . The kth node of the down-thread is x[k, hk mod s]- The kth node of the 
up-thread is x[k,l^ 

—k) mod s] (indexing the backward cycle with s — k rather than k 
yields an up-thread). Either the infinite down-thread or the infinite up-thread (or 
both) is infinitely often strict. 

According to our assumptions, for all q we have the constraint x[qss, ho] > 
x[qss, Iq\. This implies x[k, hk mod s] — x [k, Ik mod $] since we have the following path: 
traversing part of the up-thread from x[k, h^ mo d s ] to x[qss, ho] for some q such that 
qss > k, then using x[qss,ho] > x[qss, lo] which we have by assumption, and then 
traversing the down-thread in the reverse direction from x[qss,lo] to x[k, If. mo ds\- 
By Lemma |3.3| the deduced constraint must explicitly appear in in the multipath. 

We conclude that Condition S is satisfied by (Gj) u . □ 

4.4. The Role of Idempotence. We call G idempotent if G is cyclic and G;G = G. 
Following [12] (and similar results in [171 123j). we claim: 

(1) In the closure algorithm, it suffices to test only idempotent members of cl(A). 

(2) The local test becomes simpler with idempotent graphs. 
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The first claim is easy to justify by studying the argument in the soundness 
proof: the graph Gi whose existence is established there is clearly idempotent. For 
the second, let us describe the simple test and justify it. 

Definition 4.21 (Local tt- Termination Test for Idempotent MCs). We say that G 
passes the Local tt -Termination Test for Idempotent MCs, or LTT1, if it is idempo- 
tent, and for some 1 < /, h < n, G h xi < Xh A X[ < x\ A Xh > x' h , where at least one 
of the last two inequalities is strict. 

Lemma 4.22. Let A be a stable MCS and G an idempotent, cyclic MC in cl(A). 
Then G passes the LTTS if and only if it passes the LTT1. 

Proof. One direction of this equivalence is easy: if G passes the LTT1, it has the 
cycles Xh — > x' h — > x^ and x\ — >■ x\ — > xi, that satisfy the LTTS. 

For the other direction, suppose that G passes the LTTS. Repeating the analysis 
in the proof of Theorem I4.19[ and re-using the notation, we let 2s be the length 
of the forward cycle (assuming it alternates shortcut and ordinary arcs) and 2s the 
length of backward cycle (under a similar assumption) , and consider the multipath 
A4 = (G) ss . It has a down-thread from x[0,/io] to x[ss,ho], so (G) ss hi/, > x' h . 
But by idempotence, (G) ss = G. Similarly, we deduce that G h x\ < x[, that one of 
these relations is strict, and that G h xi < Xh- Therefore, G passes the LTT1. □ 

We obtain the following version of the closure algorithm: 

Algorithm 4.23. (Closure Algorithm with Idempotence) 

(1) Build cl{A). 

(2) For each cyclic G in cl(A), if it is idempotent apply the LTT1 to G. Pronounce 
failure (non-termination) if a graph that fails the test is found. 

(3) If the previous step has completed, the MCS terminates. 

Though this algorithm makes fewer local tests, it does not seem to be practically 
better than the previous, since the local test is quite efficient. On the contrary, 
applying the test to every graph in the closure allows for early discovery of fail- 
ure. More importantly, it allows for reducing the size of the set by subsumption 
(consider [H [18] and others). 

4.5. Complexity. The closure algorithm, regardless of minor savings based on 
idempotency or subsumption, has an exponential worst-case for time and space. 
This follows from the fact that the closure set can be exponential. An easy upper 
bound is this: for any pair of flow points /, g, an MC relates the 2n variables in the 
source and target states. The number of such MCs is easily bounded by 3 4n as an 
MC is completely specified by choosing either <, < or "nothing" for every ordered 
pair of variables. The complexity of the whole data structure, and the time of the 
algorithm, are thus poly(m) • 2 ;°( n2 ) where m is the number of flow-points^. 

In Section [U a polynomial-space algorithm will be described, just to make the 
theoretical classification of the problem in PSPACE. Practically, the polynomial- 
space version is not attractive because its running time gets worse. On the other 

^There are instances of size O(n) that actually generate a closure of 2 e< - n ' MCs. The exponent 
is thus not an overestimate. 
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hand, in Section |4] we show that the exponent in the running time can be brought 
down to 0(n log n). But this, too, seems to be an improvement only in a highly 
theoretical sense. 

4.6. Completeness. This section proves the completeness of Condition S, as well 
as the closure algorithm, by proving that if an idempotent MC in a stable system 
does not satisfy the LTTS, the system fails to terminate. 

To show that the system does not terminate, we exhibit a satisfiable infinite 
multipath. 

Lemma 4.24. Let M be a finite, cyclic, satisfiable multipath and G = M. If (G)^ 
is satisfiable, so is (M) w . 

Proof. Suppose that is satisfiable. That is, a satisfying assignment a exists 

such that a[t,i] is the value of x[t, i\. Consider (M) w . For distinction, let us denote 
its variables by x' [_,_]. Let £ be the length of M; the variables x'[£t,i] represent 
the borders of the copies of M, and correspond to the source and target variables 
of G. Recall that i varies between 1 and n, the number of variables. Set a'[£t,i] = 
n{£ + l)o~[t,i]. We claim that a' can be extended to a satisfying assignment for 
(M) w . The construction is illustrated in Figure HI 

When considering the assignment to a particular copy of M, it is possible to 
ignore all others, since all nodes on its boundary are already assigned. Thus, suppose 
that we are given a copy of M, say the pth copy, with an assignment to its boundary 
nodes given by cr'\p£, _] and a'[(p+l)£, _]. Consider M as a weighted graph; the graph 
has no negative-weight cycles, or M would be unsatisfiable. 

Let ji be the biggest value assumed by a' over the boundary nodes of M. Add 
an auxiliary node z to M and arcs from z to all M's nodes, weighted as follows: 
an arc to a boundary node x'[(p + j)£,i] is weighted by cr'[(p + j)£,i\- All other 
arcs have weight \i + n(£ + 1) (note that n{£ + 1) bounds the length of any simple 
path in M). Let 5 z (j, i) be the weight of the lightest path from z to x'[j, i]. This is 
well-defined, due to the absence of negative cycles. 

If there is an arc of weight w from x'[j, i] to x'[j' , i'], then 5 Z (J', i') < 5 z (j, i) + w. 
Recalling that non-strict arcs have a weight of and strict arcs, of —1, it is easy to 
see that assigning S z (j,i) to x'\j, i\ is a satisfying assignment for M. 

It rests to show that this assignment agrees with a'. To this end, let x[(p+j)£, i] 
be a boundary node. By construction, 6 z ((p + j)£, i) < cr'[(p + j)£, i\. A strict 
inequality can only arise if there is a path from z to x'[(p + j)£,i], lighter than 
the immediate arc. It can be assumed to be a simple path; it begins with an arc 
z —> x'[r,s] and then rests within M. Let P be the segment within M; since it is 
simple, its weight w is bigger than — n(£ + 1). Using this, one can easily eliminate 
the possibility that the path begins with an arc z — > x'[r, s] where x'[r, s] is not a 
boundary node. Suppose, then, that x'[r, s] is a boundary node, and can be written 
as x'[(p + k)£, s]. Then, we have 

u'[(p + k)£, s]+w< a'[(p + j)£, i] . (4.1) 

We now distinguish two cases. If a[p + k, s] > a[p + j,i], we get (multiplying by 
n(£ + l)): 

a'[(p + k)£, s] > n(£ + 1) + a'[(p + j)£, i] (4.2) 



20 



A. M. BEN-AMRAM 




24 



12 



\ 

1 

/ 



I o ■< 



36 



24 



12 



24 



12 



23 



24 
24 



-22^ 

/ 

I 24 ^ 

\ 

S 1 ' 

22 — 



36 



24 



12 



(d) 



(e) 



Figure 4: An illustration for the proof of Lemma 4.23: (a) A multipath M; (b) 
G = M; (c) G with an assignment a; (d) M with its boundary values set 
(note that n(£ + 1) = 3 • 4 = 12); (e) the assignment to M completed by 
a lightest-path computation. 



contradicting Inequality (|4.ip . 

If a[p + k, s] = cr\p+j, i], there can be no strict path from x\p + k, s] to x\p+j, i], 
and hence no strict path from x'[(p + k)£, s] to x'[(p + j)£, i]. Thus w > 0; and again 
a contradiction ensues. 

If a[p + k,s] < cr[p + j,i], there can be no path at all from x\p+k,s] to x[p + j,i], 
and hence no path from x'[(p + k)£, s] to x'[(p + i]. 

We conclude that 5 z ((p + j)£, i) = a'[(p + j)£, i], so we have a satisfying assign- 
ment that extends a', as desired. □ 

Lemma 4.25. Let A be a stable MCS and G € cl(A) be an idempotent MC that does 
not pass the Local ir- Termination Test for Stable Systems. Then A has a satisfiable, 
infinite multipath. 

Proof. We will show that (G) w is a satisfiable multipath. Then, the conclusion will 
follow by Lemma 14.241 

The first step is to add a new variable xq ("the zero line") with constraint 
xq = x'q. Next, we make sure that every other variable is related to xq. We do this 
as follows: 

(1) For each Xi such that G h Xi < x[, we add xi > xq and x\ > x' . 

(2) For each xi such that G h Xi > x[, we add Xi < xq and x\ < x' . 

(3) If there is a variable x^ which is still unrelated to x$, we add Xi > xq and x\ > x' Q . 
This is repeated until all variables are related to xq or x' . 

It is not hard to verify that G remains idempotent throughout this process. G also 
remains satisfiable, since the above additions are non-contradictory: It is easily seen 
that in the first stage, the additions cannot be contradictory — they cannot form 
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a directed cycle; the additions in the second stage cannot be contradictory among 
themselves, and they cannot form a contradiction with the additions of the first 
stage, because, by assumption, we cannot have Xi < x\ in G together with Xj > x'- 
and Xj > Xi (or x'j > x'j). In the third stage, it is obvious that no contradictions 
can arise. 

Let G denote the extended MC; we will show that {G) w is satisfiable. Let V be 
the set of variables of (G)^. We define an assignment a : V — > Z as follows: 

• For all t, o~(x[t,0]) = 0. We shall refer to these variables collectively as (note 
that they are all related by equalities so if a variable is related to one of them, it 
is related to all). 

• For all v 6 V such that there is a directed path from v to 0, let cr(v) be the 
maximum number of strict arcs on such a path (note that only simple paths need 
be considered, since there are no strict cycles). 

• For all v £ V such that there is a directed path from to v, let cr(v) be the 
negation of the maximum number of strict arcs on such a path. 

Note that since every variable in G is related to xo (or x' ), we have covered all 
cases. Why are the assignments well-defined? The only problem to worry about is 
the existence of a node v such that its distance from is unbounded. 

Suppose that such v exists and that there is a path from v to (the other case, 
a path from to v, is symmetric). Thus, there are infinitely many paths P, from 
v to 0, such that Pi has at least i strict arcs. For each such path, we can assume 
that only one appears on the path; otherwise we can cut the path at the first 
occurrence (there can be no strict arcs among occurrences of 0). 

The pigeon-hole principle shows that for sufficiently large i, Pi must visit a 
certain state- variable Xj twice, say as x[t, j] first and x[t', j] later, with a strict arc 
in-between. Moreover, by choosing i big enough, we can enforce the condition t' > t. 
Then, by idempotence of G, we have G h Xj > x'-. But then, xj < xo is in G; the 
rest of Pi implies that there is a path from x[t',j] to 0, so we also have G h x'a > xo, 
a contradiction. 

We conclude that our assignment a is well defined; and the fact that it satisfies 
all constraints is easy to prove by its construction. Since it satisfies (G) w , it also 
satisfies (G) w . □ 

Theorem 4.26. If a stable MCS does not satisfy Condition S, it is not n -terminating. 

Proof. Let A be such a system; suppose that every idempotent MC in cl(A) passes 
the LTT1. The Condition S is satisfied, contradictory to assumption. So there 
has to be an idempotent MC which fails the LTTS, and by the last lemma, a non- 
terminating run exists. □ 

Corollary 4.27. Condition S is a equivalent to tt -termination of a stable MCS, and 
the closure algorithm is a sound and complete decision procedure. 

4.7. Codish, Lagoon and Stuckey's Algorithm. Codish, Lagoon and Stuckey [T2] 
also gave (albeit implicitly) an algorithm to decide termination of an integer MCS, 
under the assumption that the data represented are non-negative integers (so ter- 
mination follows either by descent towards zero, or by approaching variables). The 
algorithm is closely related to Algorithms 14.181 and 14.231 
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Definition 4.28 (balanced constraint, |12|). A cyclic monotonicity constraint G is 
balanced if G h X{ \>Xj <^ G \= x^ >x'- (where > is > or >). The balanced extension 
Gb of G is the weakest monotonicity constraint which is at least as strong as G and 
is balanced. 

To compute the balanced extension, Codish, Lagoon and Stuckey suggest a 
fixed-point computation: Define bal(G) = G/\{xi>Xj \ G h x' i >x'j}A{x' i >x'j \ Gh 

Xi t> xj}. They observe that there always is a p such that baf p \G) is balanced and 
equals Gb (it is then a fixed point of bal). Since there are at most An{n — 1) 
constraints that can be added by bal, p < 4n(n — 1) (according to [12], there are 
tighter bounds). Hence, Gb can be computed from G in polynomial time. 

Algorithm 4.29. (CLS Algorithm) 

Input: an MCS A, not necessarily stable. 

(1) Build cl(A). 

(2) For each cyclic G in cl(A), apply the LTTS to Gb- 

Pronounce failure (non-termination) if a graph that fails the test is found. 

(3) If the previous step has completed, the MCS terminates. 

The CLS algorithm relies on the balancing procedure to compensate for lack of 
stability in A. In fact, the significance of Gb can be related to stability. Consider 
the MCS {G}, consisting of a single cyclic MC. Let S{G} be the smallest stable 
system bisimulating {G} It is not hard to prove that in S{G} there is a single cyclic 
graph, namely Gb- 

Soundness and completeness of Algorithm 14.291 are quite similar to those given 
for Algorithms 14.181 and 14. 231 Codish et al. give a partial completeness proof, specif- 
ically they prove that if Gb fails the test than {G} does not terminate. The piece 
missing for proving non-termination of A is precisely Lemma 14.241 

4.8. A General Closure Algorithm. We next present an algorithm which com- 
putes the composition-closure and applies a local test, which does not rely on sta- 
bility. In essence, it corresponds to Algorithm 14.181 in the way that Condition G 
(Section I4.2.2P corresponds to Condition S; as Condition G refers to general paths 
instead of (up or down) threads, so will this test refer to cycles in the graph that 
may have a more complicated form than those used by Algorithm 14.181 Since this 
is a strict generalization and does not conflict with the prior definitions, we use the 
same terminology for cycles, redefined as follows. 

Definition 4.30 (types of cycles, generalized). Let G be a cyclic MC. A cycle in 
G° is a forward cycle if it traverses shortcut edges more often in the backward 
direction (from x\ to Xj) than it does in the forward direction; a backward cycle, if 
it traverses shortcut edges more often in the forward direction; and a balanced cycle 
if it traverses shortcut edges equally often in both directions. 

Figure [5] (a— c) illustrates a forward cycle in the extended sense. 

Definition 4.31 (Local Termination Test, General Case). For a cyclic G, we say 
that G passes the Local it -Termination Test, or LTT, if G° either has a balanced 
strict cycle, or both a forward cycle f and a backward cycle b, at least one of which 
is strict, and a path from a node of f to a node of b. 
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Figure 5: (a) An MC G, (b) its circular variant G°; (c) the directions of shortcut 
edges are set to form a forward descending cycle, (d) a walk in a prefix of 
G w , corresponding to the cycle. The notation x\ is a shorthand for x[t, i]. 
(Example after Codish, Lagoon and Stuckey) 



Algorithm 4.32. (Closure Algorithm not presuming stability) 

(1) Build cl(A). 

(2) For each cyclic G in cl(A), apply the Local n- Termination Test. 
Pronounce failure (non-termination) if a graph that fails the test is found. 

(3) If the previous step has completed, the MCS terminates. 

The proof of this algorithm much alike the proof of a similar algorithm for the 
well-founded model [6], but rather tedious and is omitted. 

4.9. Summary. In this section we have presented a path-based condition for termi- 
nation, its soundness and completeness, and sound and complete decision procedures 
based on it. The condition comes in two flavours: there is a version for general MCSs 
and a version for stable ones. We concentrated on the latter. Stabilization may be 
costly (the worst case incurs exponential blow-up), and hence the algorithms that 
do not require this preprocessing may be more efficient in practice (at least, if all we 
require is to decide termination). We also included Codish, Lagoon and Stuckey 's 
algorithm, which is similar to the new algorithms proposed here. The contribution 
of the new algorithms may be mostly theoretical — a contribution to the understand- 
ing of MCS termination, as they are directly related to the path-based criteria. In 
addition, we have closed a gap in the completeness proof of [12]. In the sequel, 
an entirely different algorithm will be proposed, which constructs an explicit global 
ranking function. If only the decision problem is of interest, the last (without stabi- 
lization) is probably the most efficient, except for simple cases (such a simple case 
is SCT transition systems, since they are always stable). 



21 



A. M. BEN-AMRAM 



5. Full and Partial Elaboration 

In [6], some of the results were proved using the following observation: for a finite 
number of variables, there are only finitely many orderings of their values. It is thus 
possible to exhaustively list all possibilities and create an explicit representation 
of how transitions will affect each one. This is called full elaboration of an MCS. 
It served two purposes in [6] (and so it will in the current paper): first, since it 
generates a stable system, it gives an easy route to a decision procedure — one which 
is inefficient regarding time but can be used to prove that the problem is decidable 
in polynomial space. The second purpose was the algorithm to construct a global 
ranking function; the fully-elaborated system has some structural properties that the 
construction was based on. In this paper, too, we use full elaboration in that way. 
The current section presents full elaboration as defined in [6], and infers PSPACE- 
completeness of the termination problem; then, partial elaboration is introduced, as 
a tool to be used in the subsequent section. 

Z: The idea of full elaboration is taken from [6] , and Theorem 15.41 is a straight-forward 
application, as it was in the previous paper. The idea and details of partial elaboration 
are new definitions that are necessary for the new algorithm in the following section. 

Definition 5.1 (full elaboration). An MCS A is fully elaborated if the following 
conditions hold: 

(1) Each state invariant fully specifies the relations among all variables. That is, 
for i,j<n, one of the relations Xj = Xj, Xi < Xj or xi > Xj is specified by //. 

(2) Each MC is closed under logical consequence. 

(3) Each MC in A is satisfiable. 

Since the state invariant fully determines the relations among all variables, we 
can re-index the variables into sorted order, so that the invariant becomes 

xi {t}x 2 {<}... {<}x n . (5.1) 

Of course, the re-indexing has to be incorporated also in MCs incident to this flow- 
point, but this is straight-forward to do. Indexing the variables in sorted order has 
some convenient consequences, such as the having the property: 

Definition 5.2. G has the downward closure property if for all k < j, G h Xi>x'- 
entails G h Xi>x' k . 

The number of possible orderings of n variables, hence the maximum number 
of copies we may need to make of any flow-point to achieve full elaboration, is the 
the nth ordered Bell number B n , already mentioned. We denote the set of these 
orderings by Bell n , and assume that we fix some convenient representation so that 
"orderings" can be algorithmically manipulated. 

The algorithm of full elaboration follows almost immediately from the defini- 
tions, and here it is, quoted from [6]: 

Algorithm 5.3. (full elaboration) Given an MCS B, this algorithm produces a 
fully-elaborated MCS A, along with mappings <f> and ip, such that A ~ B. 

(1) For every / £ F 13 , generate flow-points f n where it ranges over Bell n . Define 
the variable renaming function ipf^j so that ipf^jii) is the ith variable in sorted 
order, according to n. Thus, If w will have exactly the form (|5.ip . 
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(2) Next, for every MC G : f — > g in B, and every pair f n ,gm, create a size-change 
graph G ntV j : f n -> g m as follows: 

(a) For every arc x — >■ y G G, include the corresponding arc in G^ tVJ , according 
to the variable renaming used in the two A flow-points. 

(b) Complete G V%VJ by closure under consequences; unsatisfiable graphs (de- 
tected by the closure computation) are removed from the constructed sys- 
tem. 

Since a fully elaborated system is stable, full elaboration allows termination to be 
checked by a closure algorithm as previously described. However, full elaboration 
will often be costlier than stabilization by fixed-point computation. Therefore, it is 
not worthwhile — unless we are interested in worst-case complexity! The complexity 
of the closure algorithm has an exponent of n 2 , while full elaboration only intro- 
duces an exponent of n log n and can subsequently be tested for termination by an 
algorithm of the same exponent, as the next section will show. Full elaboration is 
also a convenient means to justify the PSPACE upper bound. 

Theorem 5.4. The MCS n -termination problem is PSPACE- complete. 

Proof. It is known [23j that the SCT Termination problem is PSPACE-hard, which 
also applies to MCS because SCT is a special case (to reduce an SCT problem, 
which assumes well-foundedness, to a 7r-termination problem, include a "bottom" 
variable and constrain all others to be bigger. This is like restricting the domain to 
the positive integers). 

To show that the problem is in PSPACE, we will outline a non-deterministic 
polynomial-space algorithm for the complement problem, that is, non-termination. 
The result will follow since (by Savitch's theorem) coNPSPACE = NPSPACE = 
PSPACE. 

Algorithm 14.181 can be seen as a search for a counter-example — a cycle in the 
CFG that fails the test. The non-deterministic algorithm guesses such a cycle. In 
each step, it adds a transition to the cycle while composing the transition's MC 
with an MC that represents the CFG path traversed so far. Only this MC, along 
with the initial and current flow-point, have to be maintained in memory. Whenever 
the current flow-point is the same as the initial one, the local termination test is 
applied. If at some point, an unsatisfiable MC results, the algorithm has failed to 
find a counter-example. Otherwise it continues until finding one. 

Given an input MCS B, we apply the Closure Algorithm to the fully elaborated 
system A equivalent to B. To achieve the polynomial space bound, A is never 
constructed explicitly. In fact, to represent a flow-point f n of A, we just maintain 
the B flow-point / along with the ordering ir (we do not re-index the variables). If 
the next flow-point is chosen to be g m (both the flow-point and the ordering are 
chosen non-deterministically) , the MC G n ^ is computed on the spot. 

It should be easy to see that the algorithm only needs access to the original 
MCS B and to an additional linear amount of memory. □ 

In the next section we will have a situation where we require information about 
the ordering of variables which is not present in the given flow-point invariant, but 
we do not need the whole ordering. We gain efficiency by only performing a partial 
elaboration, defined generally as follows: 
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Definition 5.5. Let / be a flow-point in an MCS and let Ii, . . . , be conjunctions 
of order constraints that are mutually exclusive and satisfy I\ V I2 V • • • = It . 

A partial elaboration step applied to /, I\, . . . , If splits / into k flow-points, fa 
having the invariant Ij, and accordingly replicates every MC from / (or into /). 
Every such MC is consequence-closed under the new source (or target) invariant, 
and eliminated if unsatisfiable. 

Again, it should be obvious that partial elaboration only refines the abstract 
program; it does not lose or add possible runs, up to the renaming of flow-points. 
But it makes the program easier to analyse. As described, it makes the system 
possibly unstable. Stabilizing the system again may require additional flow-point 
splitting. For example, if we split / according to the three possible relations among 
X\ and X2, and there is an MC / — > g with constraints x = x' A y = y', we will be 
forced to split g as well. An important case in which we avoid this complication is 
SCT constraints, and in fact we can allow a bit more: 

Definition 5.6. A semi-SCT system is one in which there are no constraints of the 
form x < y' or x < y'. 

This definition generalizes SCT because flow-point invariants are allowed. 

Lemma 5.7. If A is semi-SCT and stable, applying a partial elaboration step to A 
results in a system A' which is stable as well. 

Proof. It is not hard to see that changing the flow-point invariant of / in a semi-SCT 
system does not imply any consequences for the ordering of variable values at other 
flow-points. □ 

In the next section we have to handle a situation where it is necessary to know 
which variable has smallest value among k unrelated variables, say x±, . . . , x^. The 
reader may verify that it is possible to create k mutually exclusive invariants such 
that in /j, Xi is minimum (with some arbitrary breaking of ties). 

6. Ranking Functions for Integer MCSs 

In this section we develop the algorithm to construct global ranking functions for 
Integer MCSs. The algorithm will process an MCS and either report that it is 
non-terminating, or provide an explicit global ranking function. This problem has 
been solved in the well-founded setting in [6J, improving on a previous solution for 
SCT [22J. Assuming stability, it is possible to solve the problem in the integer do- 
main by a reduction to the well-founded setting (creating difference variables). This 
solution is not satisfactory, due to the potential squaring of the number of vari- 
ables, figuring in the exponent of the complexity. This motivates the development 
of a specialized algorithm. The algorithm will achieve optimal results — in fact, a 
complexity similar to that obtained in the well-founded case. Achieving this results 
required dealing with some complications that will be pointed out in the sequel. 
In preparation, let us recall the definitions and result of [6]. 

Definition 6.1. A global ranking function for a transition system T with state space 
St is a function p : St — > W, where W is a well-founded set, such that p(s) > p(s') 
for every (s, s') E T ■ 
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A ranking function for a MCS A is a ranking function for T4. Namely, it satisfies 
G h p(s) > p(s') for every G G A. 

Remarks: (1) The qualifier global may be omitted in the sequel, since we do not 
deal with the notion of local ranking functions. (2) The definition highlights the 
role of the transition system T4. In fact, to find a ranking function for an MCS, we 
transform it into other MC systems that represent the transition system in a refined 
manner. Therefore the ranking function obtained will be correct with respect to the 
original MCS. 

Definition 6.2 (vectors). Let V be a set of variables. We define ((V)) to be the 
set of tuples v = (vi, V2, ■ ■ ■ ) of even length, where every even position is a variable 
of V, such that every variable appears at most once; and every odd position is a 
non- negative integer constant. 

Definition 6.3. The value of v € ((V)) in program state (/, a), denoted ver, is a 
tuple of integers obtained by substituting the values of variables in v according to 
a. Tuples are compared lexicographically. 

Theorem 6.4 ([6j). Suppose that MCS B is terminating in the well-founded model, 
and has variables V = {xi, . . . ,x n }. There is a ranking function p for B where 
p(f,a) is described by a set of elements of {(V)), each one associated with certain 
inequalities on variables, which define the region where that vector determines the 
function value. The complexity of constructing p is 0(\B\ • n 2n+1 ). 



p(f) 



Here is an example, just to illustrate the form of the function: 

(l,x\, l,x 3 )a if x\ > x 2 
(l,x 2 , l,x 4 }cr if x\ < x 2 . 

Later, to simplify the presentation and the manipulation of such functions, we can 
omit a and write, for example 

(l,:ci, 1,2:3} if xi > x 2 
(1,2:2 1 1,2:4} if xi < x 2 . 

We are thus dealing with functions that associate a symbolic tuple (or set of tuples 
selected by order constraints) to a flow-point. Under the assumption of a well- 
founded domain, the set of tuples is also well-founded by the lexicographic order. 

The theorem can be easily translated to a theorem for Integer MCS, based on 
using pairs of variables whose difference is non-negative and forming a tuple over N 
(so again we have well-foundedness). This is formalized next, and yields our first 
(non-optimal, but simple to describe) solution. 



6.1. The Difference MCS. Let D = | 1 < % < j < n}. We introduce a 

variable xnj\, with & D, to represent each difference Xj — X{. 

Definition 6.5 (difference MCS). Let A be a fully elaborated system, with n vari- 
ables in each flow point, indexed in ascending order of value. The initial difference 
MCS of A is an MCS Afr where: 

(1) The set of flow-points is as in A. The variables are V U W, where V = 
{xi,. . . ,x n } and W = {x (iij) : G D}. 
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(2) For every flow point /, the state invariant Ij includes If plus any constraints 
that can be deduced from the constraints in A, using the rule: 

Xi < X e < X u < Xj X ((> ) < X(i tj y 

(3) To every MC G G A, there is a corresponding MC, G A , in Aq~- It includes the 
constraints in G plus any constraints that can be deduced from the constraints 
of G using the rules 

Xi < x' e < X u < Xj =>- x (i,u) — X (i,j) 
Xi < x' e < x' u < Xj x'^ tU j < X(jj) 
Xi < x'f, < x' u < Xj => x'^ u j < X(ijy 

Observe that can be derived from A by a straight-forward, polynomial-time 
algorithm. It is called initial because in the algorithm presented later it will be 
iteratively refined. But at this stage it suffices. We reproduce the observation from 
Section WTT\ 

Observation 6.6. Satisfaction of Condition S by A is equivalent to satisfaction of 
the SCT condition by .4,^, restricted to the difference variables. 

This allows us to find a ranking function based on the difference variables. The 
original variables (V) will not be used in it. We keep them in the system, however, 
as an aid to the forthcoming, more efficient, algorithm. Applying Theorem EH yields 

Corollary 6.7. Suppose that MCSB is 7r- terminating, and has variables xi, • • • , x n . 
There is a ranking function p for B where p(f) is given as a set of elements of ((W)), 
each one associated with certain inequalities on differences of variables. These in- 
equalities define the region where that vector determines the function value. There 
are at most -B n ( n _i)/2 different vectors for any flow-point. The complexity of con- 
structing p is 0(\B\ ■ (n(n - l)/2) n(n ~ 1)+1 ) = 0(\B\ ■ n 2 ™ 2 ). 

To present the function in a readable way, we will replace the difference variables 
by expressions Xi — Xj, so we obtain a function like this: (the example is only meant 
to illustrate the form) 

( f \ — / (1> x 2 - x 4 , 1, x 3 - x 4 ) if x 2 - x 4 > x 2 - x 3 
\ (l,x 2 - x 4 ,0, x 3 - x 4 ) if x 2 - x 4 < x 2 - x 3 

But this is an unsatisfactory result, because of the n 2 exponent and the fact that 
tuples may include up to n(n — l)/2 variable positions (or at least, this is the bound 
that the theorem gives). The challenge tackled in the rest of this section is how to 
reduce the complexity to and the number of variables in each tuple to n — 1, 

by solving the problem specifically rather than reducing it to the well-founded case. 
This brings the upper bound close to lower bounds (for the length of the tuples, the 
worst-case lower bound is matched exactly) based on the results of [9]. 
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6.2. Overview. The construction below follows the same basic outline as the one 
in [6] , which is also similar to other global ranking- function algorithms such as [2] . 
The construction is iterative, based on the notions of a quasi-ranking function and 
a residual transition system. 

Definition 6.8. Let T be a transition system with state space St. A quasi-ranking 
function for T is a function p : St — > W, where W is a well-founded set, such that 
p(s) > p(s') for every (s, s') £ T ■ 

The residual transition system relative to p, denoted T/p, includes all (and 
only) the transitions of T which do not decrease p. 

The outline of the algorithm is: find a quasi-ranking function, generate a rep- 
resentation of the residual system, repeat as long as the system is not vacant (i.e., 
has transitions). If the quasi-ranking functions found are tuple- valued functions 
pi, p2, ■ ■ ■ , Pk, it is easy to see that pi ■ p% ■ . . . ■ p^ is a ranking function, where • is 
tuple concatenation, extended naturally to functions (it is tacitly assumed that care 
is taken to maintain the correct structure regarding even and odd positions in the 
tuples). 

What are the quasi-ranking functions and how are they found? We have two 
major cases, depending on the connectivity of the control-flow graph. If it is not 
strongly connected, there are flow-points that can only occur in a particular order, 
and we obtain the quasi-ranking function just by assigning suitable numbers to 
flow-points. This is the easy case. The case of a strongly-connected system is the 
important one. In [6], it was shown that, thanks to full elaboration, it is always 
possible to identify a single variable Xj, for each flow-point / so that the function 
p(f) = Xi f is quasi-ranking. The proof of the existence of such a variable, and the 
algorithm to find it, make essential use of the fact that the n variables are totally 
ordered by the flow-point invariant. In the current setting, we have a total order on 
the original n variables, but this does not induce a total order on the n(n — l)/2 
difference variables, and it is them that will constitute the quasi-ranking functions. 
So, to obtain the results below, the main effort (given the results of [6]) has been 
to find a way to deal with the partially-ordered set of difference variables without 
resorting to fully ordering them (as that would create an n 2 exponent again). 

Throughout the rest of this section, A denotes a fully-elaborated MCS that 
satisfies Condition S, and the initial difference MCS. The algorithm begins with 
A^, and then, iteratively, refines and restricts it, while constructing quasi-ranking 
functions, so that in general, the sub-algorithm for finding a q.r.f. works on an MCS 
that has already changed from the initial one. We define a difference MCS to be 
any MCS A A obtained from A A by a series of partial elaboration steps, as defined 
in Section [5j and restrictions. Thus A A is one of a sequence of MC systems Af, 
starting with Afr, so that 

aA ^ aA 
•^2i+l —<t>i ^2i 

•A-21+2 <S ^2i 

So, for all j, A A Aq~ for an appropriate <j). The goal of each elaboration step is 
to allow for finding a q.r.f., and the subsequent restriction represents the residual 
transition system relative to the current quasi-ranking function. Note that the 
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elaboration steps do not involve a re-indexing of variables — this is important since 
we rely on the indexing of the original elaborated MCS A. 

6.3. Preparations for the construction. We begin with a few definitions and 
properties that the algorithm relies on. These definitions are taken (with some 
adaptation) from previous work on SCT, and therefore refer as threads to what 
we have named down-threads. Since our analysis of the difference variables is SCT 
analysis — only down-threads are considered — let it be understood that in the context 
of difference variables, a "thread" is a down-thread. 

Definition 6.9 (thread preserver). Given difference MCS A^~, a mapping P : — > 
V(D) is called a thread preserver of A A if for every G A : f — > g in A^ it holds that 
whenever a € P(f), there is (3 € P(g) such that G A h x a >x'a. 

It is easy to see that the set of thread preservers is closed under union. Hence, 
there is a unique maximal thread preserver, which we denote by MTP(^4 A ). Given 
a standard representation of A A , MTP(A^) can be computed in linear time [8]. 



We also need the following definition and results: 

Definition 6.10 (complete thread). A thread in a given multipath is complete if it 
starts at the beginning of the multipath, and is as long as the multipath. 

Lemma 6.11. Let be an infinite multipath. If every finite prefix M of 
contains a complete thread, then M m contains an infinite thread. 

Proof. The proof is a straight-forward application of Konig's Lemma. □ 

Lemma 6.12. If a strongly connected MCS satisfies SCT, every finite multipath 
includes a complete thread. 

The proof is straight-forward and left out. 

Definition 6.13 (thread-safe). We call a variable thread-safe at flow-point / if 
every finite multipath, starting at /, includes a complete thread starting at that 
variable. 

6.4. Finding a singleton thread-preserver. The role of this part of the algo- 
rithm is to single out a variable x a . for every flow point, such that these variables 
constitute a singleton thread-preserver (i.e., P(f) = {«/} be a thread preserver). 
Observe that this induces a quasi-ranking function, namely p(f) = {x af }. We as- 
sume, until further notice, that we are dealing with a strongly-connected MCS; the 
complete algorithm will provide for the non-strongly-connected case. 

Definition 6.14 (ordering of D). We write (i,j) C (i',j') for containment of the 
interval {i, . . . ,j} in the interval {i', . . . 

Containment is a partial order, and moreover a semi-lattice with join operation 
(hj) u (*',/) = (min(i, j),max(i',f)). 

Recall that indexing the variables in ascending order of value, during full elab- 
oration, provided a useful downward closure property. In particular, the lowest- 
numbered variable among a set of variables has the smallest value. This was crucial 
in the construction of [6], and here, we give as a substitute the following (more 
subtle) lemma for the difference variables. 
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Lemma 6.15. Let A A be a difference MCS for a fully elaborated A. Each MC, G A , 
of A A has the following properties: 

(1) If G A h x a > x'p, then G A h x 7 > x'^ for every 7^0. 

(2) // G A hi a > x' p , and G A h x a > x'^, then G A h x a >x' s for every 5 C /3 U 7. 

Proof. We prove only the second claim (being a bit more involved). Let a = (a/, a^), 
(3 = (bi,bh) and 7 = (q, c/J. The inequality x a > means x a , < x' b and > x' b 
and similarly for the second inequality, so we have: 

%ai — 2-111111(6;, c; ) j -£<2jj — ■^max(b^,Cft) • 

That is, x a > x^ U7 , which entails the conclusion. □ 

Lemma 6.16. Assume that A A is strongly connected and satisfies SCT in the dif- 
ference variables. For every f , let S(f) be the set of indices of difference variables 
that are thread-safe at f in A A . Then S(f) is not empty for any and 
S = MTP{A A % 

Proof. Let M be any finite ,A A -multipath starting at /. Since A A satisfies SCT and 
is strongly connected, there must be a complete thread in M, say starting at x a . 
But then X(i in ) can also start a thread. It follows that (l,n) G S(f), so S(f) is not 
empty. 

We now aim to show that S is a thread preserver. Let a £ S(f), and let 
G A : / — > g. Let -ff A be any MC with source point g, M a finite multipath starting 
with H A and consider the multipath G A M = G A H A . ... By definition of S(f), it 
has a complete thread that begins with an arc from x a , say x a — > x'o, followed 
by an arc of H A , say xp M — > x' . Let B be the set of all such indices (3m (where 

M ranges over all rnultipaths starting with H ), and k — j \B. Then x a — y 

is an arc of G A by Lemma EE©; and bv EBjg ) one can see that, for each M, 
H A has an arc x K — > x' . Thus, M has a complete thread beginning with x K , 
and k is, by definition, in S(g). We have proved that S has the thread-preservation 
property. On the other hand, it is easy to see that if P is a thread preserver such 
that P(f) 7^ 0, then the variables indexed by P(f) are thread-safe at /. Thus every 
thread preserver is contained in S, and we conclude that S = MTP(^ A ). □ 

Lemma 6.17. Assume that A A is strongly connected and satisfies SCT in the dif- 
ference variables. Let P be a thread preserver (in difference variables) and suppose 
that for every f € F- 4 - , invariant I A implies that a certain variable x af has small- 
est value among the variables of P(f). Then every G A : f — y g includes 
In other words, {a/} constitutes a singleton thread preserver. 

Proof. By the definition of a thread-preserver, each MC G A : / — > g must have an 
arc x Q j, t x o for some f3 G P(g); so by Lemma EEl® , G A includes X Q/ r f X • 

□ 



This notation refers to a maximal thread preserver involving the difference variables only. 
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Since the lemma applies to any thread preserver, the easiest implementation is 
to use the MTP, just because it can be found efficiently. The difficulty in applying 
the lemma is that the difference variables are only partially ordered, so in a given set 
of variables there may be no variable that is necessarily of smallest value. In order 
to make the lemma applicable, we shall use partial elaboration. Specifically, observe 
that given P(f), there can be at most n — 1 candidates for the variable of smallest 
value. This is so because in the poset of intervals there is no antichain bigger than 
n — 1. Suppose that for flow-point /, the set of potential smallest variables in P(f), 
P m in(/), has more than a single element. We will then create a duplicate f a of / 
for each a € P m m(f), and add different constraints to each one, such that in f a , x a 
will be minimum, as required by the lemma. This is a case of partial elaboration, 
as described in Section [5l and due to the fact that the constraints on difference 
variables are semi-SCT, the duplication does not trigger a cascade of duplications 
of other flow-points (Lemma I5.T|) : we thus increase the size of the system at most 
(n — l)-fold. After this processing, Lemma 16.171 can be applied. 

In the following lemma we formulate the conclusion in a somewhat generalized 
manner, which will be useful later. Recall that D is the set of indices of all difference 
variables. 

Lemma 6.18. Let A A be a strongly connected difference MCS, that satisfies SCT 
restricted to a certain subset of the difference variables at each flow-point f , given 
by T(f) C D, such that T(f) is closed under U. Procedure SingletonTP(^4 a , T) 
below finds a singleton thread preserver within T, while (possibly) modifying the 
MCS by partial elaboration. The partial elaboration involves duplicating each point 
f at most n — 1 times. 

Algorithm 6.19. SingletonTP(.4 a , T) 

(1) Compute P = MTP(.4 A ,T), the MTP of A A restricted to the variables T(f) 
for each /. If empty, the procedure fails. 

(2) For each / E , identify the minimal elements of P(f), based on the flow- 
point invariants. Suppose that there are k > 1 minima, x ai , . . . , x ak . Let 
I be the invariant of /; create mutually exclusive invariants Ji,...,J& such 
that Jj includes I with added constraints x ai < x aj for j < i, and x ai < x aj 
for i < i < k. Perform partial elaboration, replacing / by k copies with the 
respective invariants. Choose x ai for the thread preserver at the i'th copy of /. 

Note that the results of the procedure (unless it fails) are a possibly modified MCS 
and its thread preserver. 

6.5. Systems with frozen threads. Having found a quasi-ranking function, our 
next step is to modify to A A so that it expresses the residual system. This includes 
the following changes 

(1) Transitions in which the quasi-ranking function strictly decreases (that is, we 
have G A h x aj > x ag ) are removed. 

(2) In transitions where the quasi-ranking function was not known to decrease 
strictly (that is, we only had G A h x af > x ag ) it is now required not to change. 

We now recall another idea from [6], freezers. A freezer is a singleton thread- 
preserver where the values are "frozen," that is, constrained not to change. 
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Definition 6.20 (freezer). Let A be an MCS and C : F A — > {1, . . . , n} a function 
that associates one original variable (technically, the index of one such variable) to 
to each flow-point. Such C is called a freezer if for every G € A, G h xc(f) = x 'c( g )- 

In our case, we have a thread of difference variables x af that we wish to constrain 
not to change. Suppose that G A h x a , > x ag , where a/ = (l,h) and a g = 
In order that the differences before and after the transition be the same, we must 
have both x\ = x\ and Xh = x'y Therefore, every arc like that, participating in the 
singleton thread-preserver found, implies that two inequalities in original variables 
are restricted to equalities, creating two freezers. 

Assuming that there still are cycles in the MCS, we need to look for an additional 
quasi-ranking function. We have to restrict the search in order not to find the same 
quasi-ranking function again (which, albeit "frozen," is still a q.r.f.). This requires 
a bit further analysis. 

The following observation comes easily from full elaboration: 

Observation 6.21. Freezers are consistently ordered by the relations among their 
variables. That is, if Cl and Ch are freezers and If h xcM) < x Ch(}) f° r some 
flow-point /, then this relation holds in every flow-point and we write Cl < Ch- 

Note that due to the re-indexing in full elaboration, the order relation among 
the freezers matches the relation among the indices Ci(f) and The case 

of variables related by an equality constraint at a flow-point is less obvious but, in 
fact, if variable x±, say, is "frozen" and If h x\ = X2, then x<i is also "frozen". To 
make a long story short, the algorithm below has the property that if two variables 
are constrained by equality, once one of them has been used for a thread-preserver 
and thereafter put into a freezer, the other can safely (and advantageously) be 
ignored (yet we ignore this situation in the description of the algorithm, to simplify 
presentation) . 

Lemma 6.22. Suppose that A^ is strongly connected, and has some freezers, among 
which Cl is lowest and Ch highest. And suppose that A^ terminates. Divide the 
indices of original variables, for every flow-point f , into three regions: the lower 
region V (f) = {1, . . . , C L (f)}, the middle region V\{f) = {C L {f), C H (f)}, and 
the upper region V^(/) = {Cn(f), ■ ■ ■ ,n}. Then every infinite A^-multipath has an 
approaching pair confined to one of the regions. 

Proof. Let M be an infinite multipath of A, M = fo — \ fx — I /2 • • • Suppose that 
M has an approaching pair: the low up-thread (x[k,lk])k=o,i,... and the high down- 
thread (x[k, hk])k=o,i,...- 

At least one of the low and high threads has to be infinitely often strict; let us 
suppose that it is the high thread (the other case is similar). This thread cannot 
intersect any of the the frozen threads infinitely often (or we would have an unsat- 
isfiable section of the multipath, contradicting Lemma 13.4ft ; so in an infinite tail of 
the multipath (which is all that matters) it lies either always above Ch, or below 
Cl, or between them; to avoid a trite case analysis, let us pick just one of the cases, 
and suppose that the thread uses variables above Ch, that is, from V2. Now, we 
can let Ch play the part of the low thread, to obtain an approaching pair within 
the upper region (V2). □ 
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Corollary 6.23. Under the assumptions of the last lemma, define regions of differ- 
ence variables: 

D (f) = {(i,j)\i<j<C L (f)}; (6.1) 
Di{f) = | C L (f) <i<j< C H (f)}; (6.2) 

D 2 (f) = {(i,j)\C H (f)<i<j}; (6.3) 

then in every infinite A A -multipath there is an infinitely- descending thread of dif- 
ference variables within one of these regions. 

Lemma 6.24. Under the assumptions of the last lemma, there is a region D r that 
contains an infinite thread ( corresponding to a weakly approaching pair in V r ) in 
every infinite -multipath. 

Note the change in the order of quantification: the region is selected before the 
multipath, at the expense of not guaranteeing strict descent in every multipath. 

Proof. Assume to the contrary that for each of r = 0, 1, 2 there is an infinite multi- 
path in which Region D r contains no infinite thread. By Lemma [6.11l there are finite 
multipaths Md, Mi, M2 such that Mj has no complete thread in region i. Since our 
MCS is strongly connected, one can form a multipath (Mo . . . Mi . . . M2 . . . ) w , which 
will have no infinite thread in any of the regions, contradicting Corollary 16.231 □ 

Let r be such that there is always an infinite thread in D r . We can use the 
strategy of the previous subsection to find a singleton thread preserver, thus making 
progress in our construction. But is it progress? There is a pitfall: in the case of 
the middle region, our procedure may find a pair of variables that was already 
frozen (they constitute a weakly approaching pair, but they really never approach). 
However, the middle region can be treated in a special way that avoids the pitfall 
and is also more efficient. 

Lemma 6.25. Under the assumptions of Lemma \6. 2S\ An infinite multipath M 
contains an approaching pair within the middle region (V%) if and only if this region 
contains a thread — either a down-thread or an up-thread — which is infinitely often 
strict. Such a thread is disjoint from the two freezers delimiting this region. 

Proof. The non-trivial implication is the "if," but it is also quite easy: suppose that 
the region contains an infinitely-often strict down-thread (up-thread). It can be 
complemented to an approaching pair by using Cl (Ch) for the other thread. □ 

From this lemma we conclude that the middle region can be reduced to the 
following two subsets of difference variables: 

Di if) = {(C L (f)J) I C L (f) < j < C H {f) such that Xj is not frozen in /} (6.4) 

£>f (/) = {(i,C H (f)) I C L (f) < i < C H {f) such that a* is not frozen in /}. (6.5) 

Both sets of intervals are closed under U and Lemma 16.181 applies. Moreover, these 
sets of intervals are totally ordered, which means that no elaboration steps will be 
needed when looking for a singleton thread-preserver among them. 
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6.6. Putting it all together. 

Algorithm 6.26. (ranking function construction for „4 A ) 

Assumes that _4 A is a difference MCS. The system may also be adorned with 
any number of freezers. If A A terminates, a ranking function will be returned. 
Otherwise, the algorithm will fail. 

(1) List the SCCs of A A in reverse-topological order. For each / € F^ A , let Kf be 
the position of the SCC of /. Define p(f) = (Kf). 

If all SCCs are vacant (contain no transitions), return p. 

(2) For each SCC C, compute a ranking function pc by applying the next algorithm 
to the component (separately). Let p' = [_} pc- Return p ■ p' . 

Algorithm 6.27. (for a strongly connected A^) 

(1) If no freezers are associated with _4 A , run SingletonTP(.4 a , D) and proceed 
to Step 3. 

(2) If some freezers are associated with A^, let Cl and Ch be the lowest and highest 
freezers^. For every flow-point /, create the sets of difference variables Dq(/), 
D{ (/), Df (/), D 2 (f), as defined in Equations (|6TTti63]) . 

(1) Run SiNGLETONTP(^ A ,Df) for x = L and then H. If one of these calls 
succeeds, proceed to Step El 

(2) Run SingletonTP(„4 a ,D )- If successful, proceed to Step El 

(3) Run SingletonTP(^ a ,D 2 )- If successful, proceed to Step El If not, the 
algorithm fails. 

(3) (Create residual system) Let P be the thread preserver found. For every graph 
G A : / — >■ g, if it includes £p(/) > x 'p[ g )i delete the graph from A A . Otherwise, 
retain the graph. Also include @ C\ (f) = ttiP(/), C 2 (f) = n 2 P(f) as freezers 
associated with A A . 

(4) For every /, let p(f) = (x P(/) ). 

(5) If A A is now vacant, return p. Otherwise, compute a ranking function p' recur- 
sively for (what remains of) A A , using Algorithm 16. 26| and return p ■ p'. 

Recall that O(f) is a shorthand for 0(/-log 0( - 1 - ) /). Thus 0(n n ) is asymptotically 
dominated by n n times a polynomial in n. For an MCS A, let |^4| denote the number 
of abstract transitions (MCs) in A (without loss of generality, |^l| > (P" 4 ])- 

Theorem 6.28. Let A be a fully- elaborated, ir -terminating MCS, with n variables 
per point. Algorithm \ 6.26l applied to A A , produces a ranking function p : P" 4 — >• 
((W)) where each vector includes at most n — 1 difference variables. The complexity 
of construction of p is 0(\A\ ■ nl). 

Proof. Assuming that the correctness of the algorithm has been justified convinc- 
ingly enough, we now discuss the complexity. One should consider the effect of 
partial elaborations by SingletonTP. Such a step may make up to n — 1 copies 
of every flow-point. However, each time it is performed, at least one new freezer is 
subsequently created (in the first time, two freezers). Therefore, this multiplication 

case in which there is only one freezer is acceptable. Cl and Ch are then the same thread 
and Step (2a) is skipped. 

^We use the projections ni , n2 to map indices from D to their components. 
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of flow-points can occur at most n — 1 times, leading to the upper bound on the 
length of the vectors. Since the number of variables participating in the search for 
quasi-ranking functions diminishes in each iteration, we obtain a bound of \F^\ • n\ 
on the size of the resulting expression, which associates a vector with each of the 
flow points of the mostly elaborated system obtained. The running time is further 
multiplied by a (low order) polynomial expressing the complexity of the procedures 
at each level of the recursion. □ 

Theorem 6.29. Let B be a ir -terminating MCS, with n variables per point. A 
ranking function p for B where p{f) is given by a case expression with inequalities 
among differences for guards; the value in each case is given by a vector in ({W)), 
that includes at most n — 1 difference variables. The complexity of construction of 
p, as well as the size of the expression, are 0(\B\ • 2 n (n!) 2 ). 

Proof. First, fully elaborate B, yielding an MCS of size at most \B\-B n < \B\ -2 n (n!), 
then use the last theorem. □ 

The algorithm could, in principle, be used just to determine if a system is 
terminating, and with an exponent of 0(n log n), better than the 0{n 2 ) exponent 
given in Section [U However, the use of full elaboration makes it unattractive in 
practice because it blindly generates the worst case (all possible ordering of variables) 
for every input instance. In contrast, the algorithms of Section |4] will often perform 
much better than their worst-case behaviour. 



7. Rooted Versus Uniform Termination 

Up to this point, the notion of termination used was uniform termination, which 
means that there must be no cycles in the whole state space of the modeled transi- 
tion system. Practically, what we usually require is rooted termination, when only 
computation paths beginning at a given initial point /o are considered. 

Z: There is no difference between the treatment of this subject in the well-founded case and 
here, but the examples below should illustrate that the issue is doubly important in the 
current setting. 

Here is a little C example to show the importance of rooted termination: 
if (x<0) 

while (y > 0) y = y+x 

Consider an abstraction that represents the command y=y+x by three parallel MCs, 
as discussed in Example 12.111 It can be shown to terminate when only paths from 
the top of the program are considered. The example could also be solved by a 
preprocessing that calculates state invariants, such as x < inside the while, as 
is often done in program analysers. But this can get complicated: the following 
example would require an invariant that specifies the dependence of variable b on 
x. This kind of invariant that is not found in common invariant generators (namely 
those that describe a state by a conjunction of linear constraints). However with 
rooted termination, no invariants are necessary other than the direct translation of 
the conditionals to monotonicity constraints. 
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if (x<0) b=l 
else b=0; 
if (x<>0) 

while (y > 0) 

if (b) y = y+x; 
else y = y-x; 

We conclude that it is desirable, practically, to account for rooted termination. Up 
to this point, this was avoided only in favor of simplicity of presentation. However, 
it is very easy to do: with a stable system, unreachable states will be represented 
by flow-points that are inaccessible from fo, due to Lemma 13.41 

Thus, all that is necessary is to remove inaccessible parts of the CFG, or bet- 
ter yet, never generate them in the first place, by creating the stabilized (or fully 
elaborated) system in the manner of a graph exploration (say, DFS) starting at the 
initial point, only covering the reachable state space. This can occasionally have a 
significant effect on efficiency (in particular with full elaboration), as confirmed by 
our experience with implementing full elaboration [31] . 

Example 7.1. To conclude this section, here is another example which illustrates 
the effectiveness of the MCS abstraction in expressing disjunctions, besides the need 
for rooted termination. Disjunction is used in expressing the condition x != 0, as 
well as representing the command x := x-1. 

assert x > 

while (x != 0) x := x-1 

Abstraction: unlike previous examples, we will not merge this time the loop guard 
with the loop body, in order to clarify the transformation. We will thus have three 
flow-points, (initial), 1 (loop header) and 2 (loop body). 
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8. Some Related work 

The field of termination analysis is well developed and it is infeasible to survey it 
extensively here. This section will point out some works that are related inasmuch as 
they base a termination analysis on the behavior of integer variables. The following 
questions are asked when considering such works: 

(1) Does the proposed algorithm or tool work on an abstract transition system, 
or on concrete programs? Clearly the case that can be best related to the current 
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work is the former. Therefore, much work of the second kind is ignored here; but it 
is not hard to find. 

(2) What abstraction is used? In particular, are monotonicity constraints used? 

(3) What is the main technique? Is it complete for the given abstraction? (It 
is also possible to ask if there would have been completeness, had the method been 
applied to MCS. I have tried to answer this question, though some of the methods 
are not fully described in the publications, so it is difficult to be precise.) 

We start with those works which mostly resemble the current paper. 

(1) Manolios and Vroon [27] describe a termination analysis implemented in the 
ACL2 theorem prover. It works on concrete programs using the SCT abstrac- 
tion. It handles termination arguments involving integers by introducing the 
difference of two concrete integer variables as an abstract variable, when it can 
be determined (using theorem proving techniques applied to the source program) 
to be non-negative. Of course, it may also include a single integer variable if 
it is determined to be lower-bounded. Since concrete programs are the subject, 
no completeness claim is made. It would be possible to represent an MCS as a 
program and apply the tool, but completeness is still unlikely because, as pre- 
viously remarked, this reduction to SCT has to be combined with stabilization 
to achieve completeness. 

(2) Avery [3] describes a tool to analyze C programs by first abstracting them 
to a constraint transition system of the following form: transition constraints 
use inequalities (>, >, <. <) to relate source and target variables; flow-point 
invariants are polyhedral ones, that is, conjunctions of linear inequalities in 
state variables and constants. This is clearly a generalization of MC transition 
systems, however one expressive enough to represent counter programs, which 
means that termination is undecidable. The (sound but incomplete) algorithm 
is based on closure computation, where the composition operation used to form 
the closure takes into account only the variants (source-to-target relations, which 
are MCs) and not the invariants. For each idempotent graph in the closure, the 
invariants are taken into account when deciding which variables would imply 
termination if they descend. 

Clearly, the algorithm could be applied to MCs. What bars it from achieving 
completeness in this case is the fact that the control-flow graph is not refined 
(i.e., no stabilization). Here is an example to illustrate this limitation (the 
program consists of a single loop with the following description) 

y>wAx>x / Ax>y / Aw<z / Aw<w / 

Note that the only invariant which is valid whenever the transition is entered is 
y > w, which is not very helpful. 

(3) Termilog |24j was a termination analyzer for Prolog, that made use of an 
abstraction to monotonicity constraints and a closure computation plus a local 
test, which is sound but incomplete for the MC constraint domain, as pointed 
out in [12]. The variables of the abstraction represent certain norms of symbolic 
terms in the Prolog program. They are, therefore, non-negative integers and the 
termination proof only looks for descent towards zero. We should remark, how- 
ever that they do not use "abstract compilation" as in our examples. Instead, 
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an abstract interpreter is used to compute the closure set. This may be more 
precise with respect to the semantics of the subject program, see (19] . 

In |17j . Dershowitz et al. reformulated the principles underlying the usage 
of monotonicity constraints in Termilog, and also proposed an extension to 
handle programs with integer variables and arithmetics. Their proposal is based 
on creating a "custom-tailored" domain for abstraction of the integer variables, 
based on constraints extracted from the program. Their algorithms are Prolog- 
specific, and do not analyze a contraint-based abstract program, but it seems 
that it could be applied to MC transition systems (appropriately represented) 
and that the proposed abstraction process may actually compute a (partial) 
elaboration and obtain a stable system. It will further attempt to prove termi- 
nation for every cyclic MC by "guessing" a local ranking function. The functions 
they propose to "guess" are differences (xj — Xj), which we know to suffice for 
Idempotent cyclic MCs (See Definition I4.21t the function is — x/). How- 
ever, such functions do not suffice for all cyclic MCs [12]. We conlcude that it 
would be desirable to apply the idempotence-based algorithm with their frame- 
work (which, in fact, they do in the part that deals with symbolic variables and 
norms). 

(4) Terminweb [13J is a termination analyzer for Prolog. It uses a procedure which 
tries to prove termination of an abstract program, and there are two kinds of 
abstractions used. In the first, transitions are described by polyhedra. In the 
second, by monotonicity constraints. In both cases, the data are non-negative 
integers and the termination proof sought is based on descent towards zero. As 
for the methods, closure computation and a local termination test are used; in 
the polyhedral case, the closure is approximated (using widening) for otherwise 
it might be infinite. For the monotonicity-constraint abstraction, the closure 
computation is precise, but the local termination test is incomplete, as pointed 
out in [12] . 

(5) Mesnard and Serebrenik [28J show that for abstract programs with transitions 
defined by polyhedra (conjunctions of linear inequalities), when the data are 
rationals or real numbers, it is possible to determine in polynomial time (using 
linear programming) whether there is a global ranking function that associates 
an affine combination of the variables with each flow-point. This is an extension 
of the idea previously presented by Sohn and van-Gelder [32J. The existence of 
such a function is, of course, a sound (but incomplete) criterion for termination, 
and restricting the data to integers maintains its soundness. 

(6) The BinTerm analyzer of Spoto, Mesnard and Payet analyzes abstract pro- 
grams and serves as a back-end to the Java Bytecode termination analyzer 
Julia [33]. The abstraction that it uses is a transition system with polyhedral 
constaints, and it applies a selection of strategies, which it tries one by one. The 
first two correspond to the two methods of Terminweb, slightly modified since 
the domain is now the integers. Thus, both for polyhedral transitions and for 
MCs, its local test is based on a search for an affine ranking function. In the MC 
domain, such a test would be complete in the stable case, but is not complete 
in general. The third method used is the method of Mesnard and Serebrenik. 
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(7) Colon and Sipma |14j is representative of a series of works that ostensibly target 
imperative programs, but work, in fact, on a constraint-transition system with 
linear (affine) constraints (the domain may be assumed to be the rationals, the 
reals or the integers) and search for global ranking functions of the lexicographic- 
linear type, using linear programming techniques. 

Alias et al. [2] use the same general approach, but their class of ranking 
functions is more general (specifically, each q.r.f. associates a linear expression 
with every flow-point, whereas in [14J, a q.r.f. is a single expression throughout a 
SCC). The lexicographic approach is, of course, more general than just looking 
for a single affine global ranking function (as in |28|). but still does not guarantee 
completeness for MCSs, where the ranking function sometimes has to depend 
on the order relations of the variables, and so is not linear (a simple example is 
a ranking function min(x,y)). 

Both methods rely on polyhedral invariants associated with a flow-point 
(in [2], they are part of the abstract program, and would be generated by a 
front-end; in pi], they are recomputed in each stage of the algorithm, which 
may improve its precision). 

(8) Noting that monotonicity constraints are a special case of polyhedral constraints, 
it is natural to look for other interesting subclasses, possibly richer than mono- 
tonicity constraints. The class of difference constraints is defined by constraints 
of the form x — y < c. Termination of such constraint transition systems is shown 
undecidable in [3]. Decidability in PSPACE is proved for a restricted subclass, 
called fan-in free 5SCT. This class is incomparable to MCSs (their intersection 
is fan- in free SCT). 

(9) There are several published works that address a special subclass of constraint 
transition systems: simple loops, namely transition systems with only one con- 
trol location (flow point). Moreover, some of them consider a single-path loop, 
consisting of one abstract transition only. This appears like a far-fetched re- 
striction, but nonetheless, such simple loops can be complex enough to merit 
theoretical interest, and practically, an algorithm to decide termination of such 
a loop can be used as the local test in a closure-based algorithm, or an algorithm 
based on counter-example based search (see [16J for a well-known example of 
the approach). 

Single-path loops, represented with polyhedral constraints, are handled using 
linear ranking functions in [29] . Bradley, Manna and Sipma [TO] extend this to 
a multi-path loop, and show how to find a lexicographic-linear ranking function. 
In [11] , the approach is generalized so that the components of the ranking tuple 
are not required to be quasi-ranking functions, but only "eventually" quasi- 
ranking, that is, they may ascend initially but must eventually descend (as in 
Example GDI]). 

A few of the works mentioned also generate global ranking functions. [2] generates 
lexicographic-linear ranking functions. This is also the case with pi], although they 
are not explicit about it, and their class of functions is more restricted. In (28) , the 
class is restricted to affine functions. All the works mentioned for analyzing simple 
loops are ranking-function based, but only those in [101 [TT] may be truly called 
"global" since they apply to all the paths of a multi-path loop. 
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9. Conclusion and Research Questions 

We studied the MCS abstraction, an appealing extension of the Size-Change Termi- 
nation framework, that can be used for termination analysis in the integer domain. 
We showed how several elements of the theory developed in the well-founded model 
can be achieved in the integer case: sound and complete termination criteria, closure- 
based algorithms and the construction of ranking functions in singly-exponential 
time. Global ranking functions may be useful for certified termination [211 fT5j [20] 
and cost analysis [TJ [2], and the complexity achieved here is better than what has 
been published before for SCT. 

Hopefully, this paper will trigger further research, moving towards the prac- 
tical application of the theory presented. Some of the systems mentioned in the 
last section can gain an increase in precision by incorporating a complete decision 
procedure for monotonicity constraints, and it is encouraging that abstraction of a 
concrete program to monotonicity constraints either exists already in these systems 
or can be added with very little effort, typically because richer domains are already 
used (such as affine relations). 

The algorithms in this article were aimed at getting the theoretical results with a 
minimum of complications. They can certainly be improved in practice (as discussed 
in the conclusion of [6]). 

Cases like Example 12.101 suggest that it may be worthwhile to treat Boolean 
variables as such, so that they do not get entangled with the integer variables in the 
course of elaboration, creating an unnecessary combinatorial explosion. A better 
idea is to extend the MCS abstraction to include Boolean variables and extend the 
termination criteria and algorithms to account for them precisely. This may be a 
useful extension in practice, and moreover, it allows for adding information that does 
not come straight-forwardly from the program, in the form of "invented" Boolean 
variables — leveraging abstraction techniques used in the area of model checking. 

Here are a few other directions for extension of this work: 

(1) Investigating extensions of the constraint domain, particular to the integers 
(i.e., not appropriate for general SCT). An example is difference constraints 
(mentioned in the last section). 

(2) Proceeding from termination analysis to analysis of a program's complexity 

mm. 

(3) The idea of using multiple abstractions (one may speak of abstractions of vary- 
ing refinement) in a single tool in quite enticing. One can also consider an 
abstraction-refinement loop [16] which allows for eliminating spurious counterex- 
amples by specialized tools, while using size-change analysis as a backbone. 
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